Some things just go together. Peanut butter and jelly. Gin and tonic. Bacon and more bacon. The same is true for security automation and orchestration. So much so that, the two often get used interchangeably. However, just like peanut butter will never actually be jelly, security orchestration and security automation aren’t the same thing.
Security orchestration at its simplest is the connection and integration of an ecosystem of cybersecurity technologies and processes. It is a concept that is seemingly more elusive – yet more necessary – for today’s SOCs than ever.
The vast majority of security operations centers typically have dozens of security tools to detect, investigate and remediate threats. Because organizations have a tendency to favor investing in best-of-breed tools, most teams are left to manage tools that don’t talk to one another. This in itself introduces a huge amount of inefficiency and wasted time as security analysts in enterprise organizations and managed security services providers (MSSPs) alike navigate multiple screens and learn a variety of systems to do their jobs effectively.
With multiple security tools comes a daily deluge of logs and alerts. The average enterprise sees 10,000 alerts per month, as a conservative estimate, and managed security services providers (MSSPs) find their analysts spending an average of five hours every single day just on the investigation of security alerts.
Added to the technology challenge is the dearth of documented security operations processes that is prevalent in many SOCs. Teams have become accustomed to relying on tribal knowledge and filling in the blanks on their own as they investigate, triage and remediate security events. And did we mention that most of these tasks are done manually? It’s no wonder why investigations take longer, steps get missed and each incident is handled differently. Security orchestration remedies these challenges by bringing together disparate tools so they work in concert with one another and by codifying and streamlining the processes that surround the technologies.
So, what does security orchestration actually do for security operations teams? We’re glad you asked. Six elements make up any good security orchestration solution.
Going beyond alerts
Context is everything when investigating a security alert. Let’s say you have a user who received a suspected phishing email. On its own, that alert doesn’t tell you much. You would have to put on your detective hat and start looking for other clues.
What IP did it come from?
Did any other users receive an email from the same IP?
What does threat intelligence say?
The list goes on and on.
The answer to each of these questions is vital to determine whether you’re looking at a true threat or a false positive. This is where security orchestration comes in. These platforms are able to apply context by aggregating relevant data from the various sources within your overall ecosystem to enrich individual alerts.
Working the case
With context applied, analysts are able to go from managing alerts from individual systems to investigating and remediating security issues at the case level. Managing cases can save security operations teams a huge amount of time since analysts will often be able to address multiple alerts within a single case, all in one location.
Continuing our suspected phishing example, security orchestration would allow the SOC to quickly analyze, triage and remediate across all entities that have the source IP in common. Let’s say it turned out 7 different people in the organization were hit with similar emails. SIEM alerts, user information, threat intelligence details, web logs, vulnerability data and more would all be grouped for the analyst to work as a single case, in a single location.
You know that scene in every cop show where the team stands in front of a board with pictures of evidence and suspects all mapped out using string and push pins? Security analysts roughly follow the same thought processes, often whiteboarding out the various steps, entities and relationships involved in a threat.
This would be an important step for the team investigating our phishing example, and a time-consuming one given the amount of manual effort involved. Using security orchestration, the team would be able to execute this type of interactive, highly visual investigation within the platform itself using graphs and timelines that deep dive into each element of the case.
Automate, automate, automate
Hey look – automation! We said automation and orchestration aren’t the same thing. However, automation plays a big role in any security orchestration construct. When automation is applied, actions typically taken by a security analyst are instead handled automatically. Automation can have a particularly positive impact when applied to security processes that are well defined and documented as playbooks.
Our team investigating the phishing emails would benefit from an automated playbook around that type of threat. Multiple steps in a phishing playbook – from gathering data and analyzing an attachment to querying or blacklisting hashes or URLs – can benefit from automation. The analyst is then left to manage the parts of the process that necessitate their expert attention and can close the case in a fraction of the time vs. doing each step manually.
Teamwork makes the dream work
Investigating and remediating cybersecurity incidents is rarely a solo effort. Tier 1 analysts often need to escalate to Tier 2 and Tier 3 personnel. Managers and CISOs require visibility and the ability to jump in when needed. And when there is a significant breach, other functions outside of the SOC – legal, HR, executive management – get involved. Security orchestration provides a mechanism for collaboration by breaking down not just silos between the various security technologies, but also by providing a hub for security processes and the people running them.
So, how’s it going?
As with any technology, security orchestration is only useful if it works as intended. Measurement and KPIs are notoriously tough for SOC teams – and that’s when they know what to measure and how to best extract reporting from their various tools. And it turns out, “we don’t think we’ve been breached today” isn’t an acceptable indicator of security team efficacy.
Inherently, security orchestration enables robust reporting and business intelligence because of the way it brings together disparate tools and processes. With clear line of sight to metrics, teams can identify ways to further improve day-to-day workflows to reduce response times and increase the number of cases they can address. And management is better equipped to demonstrate the ROI of the organization’s security investments.
Those in the know understand that security orchestration and its benefits stretch much further than simple automation to bring together the various tools and techniques used by security operations. Yes, it’s easy to see why orchestration and automation are used in the same breath – they certainly go together. And really, would you want one without the other?