In the security world, there’s a lot of talk about how automation can help IR and SOC teams save time and improve outcomes.
But automation doesn’t work in isolation. It isn’t a superhero that turns up and saves the day for overwhelmed security professionals.
In fact, automation shouldn’t even be considered until the proper groundwork has been laid.
That’s where security orchestration comes in.
The old adage goes that in security, the priority is always:
If you have poorly trained people, or inadequate processes, no amount of technology will help your security teams keep the organization safe. Conversely, when you have great people and processes, that’s when technology can really take things to the next level.
It’s very much the same with security orchestration and automation. If your security program is well orchestrated, automation can have incredible results. But if your program is badly orchestrated, automation will just make things worse.
Security orchestration is about marshalling your people and processes (your “orchestra” — see what we did there?) to ensure everything is working together smoothly towards a common goal. The goal, naturally, being the continued security of your organization.
Again, security orchestration is not automation. Automation is great — and we’ll talk more about it next time — but it only works once the groundwork of security orchestration is in place.
The major components of security orchestration are:
Let’s take a closer look.
One of the most common issues in security programs is over reliance on individual heroics. You could argue that the cyber security skills gap makes this situation almost inevitable.
But what if there was a way to codify the knowledge and practices of your most experienced security professionals into a set of repeatable processes that even your newest recruits could follow? Sounds good, right?
Well, there is a way to do it. They’re called playbooks — a set of workflows that walk security personnel through the process of resolving common incidents and alerts. You can build playbooks using a SOAR platform, and once complete, they’ll help even your most junior team members work with the same level of proficiency and consistency as your top performers. This alone can have a tremendous positive impact on the time needed to upskill new recruits.
Naturally, building playbooks takes time. You need to identify your team’s best practices across a wide range of incident types, and agree a set of “ideal” processes that you’d like to be implemented every time one of those incidents crops up.
But believe us when we say that you will be more than paid back for the time you spend. At its heart, good security is about consistency — not individual heroics — and playbooks are exactly what you need to achieve it.
You know what doesn’t feature in good processes? Switching backwards and forwards between dozens of different security technologies.
How often do your analysts switch between platforms? At an absolute minimum, IR and SOC analysts constantly need to cross reference information from technologies such as:
As we saw in the last post, many security teams are running dozens of security technologies in tandem. And naturally, switching back and forth between technologies to query different datasets and transfer information is a huge waste of analyst time. Even a two minute process can waste hours each week if it has to be repeated regularly.
Take a simple process, like querying a suspicious IP address on a threat intelligence platform, and copying the results into an IRP. On average, this process might take a couple of minutes at most.
But what if you have 3 analysts? And what if — between them — they have to repeat this process 100 times over the course of a week? 2 minutes x 100 times per week = 200 minutes, or 3 hours 20 minutes.
That's 173 hours 20 minutes per year, or 4.3 weeks of analyst time wasted every year just on one bad process.
This is why integration is an essential component of security orchestration. In our example, if the IRP and TI platform were integrated, all of this could be done in seconds with a simple query.
Note, this isn’t even automation we’re talking about — it’s just integration. Still, the potential for time savings and reduced opportunity for human error are huge. Not only that, by having strong processes and integrations in place, we’re laying the groundwork for automation further down the line.
Let’s be honest, communication and documentation aren’t very exciting. Nonetheless, they are essential components of a strong security program.
All it takes is one incident not being documented properly, or one key person not being notified in time… and things can escalate quickly. Remember, once a threat actor has a foothold inside your network, full compromise can take a matter of minutes.
Again, strong communication and documentation is all about laying the groundwork. With the right processes and platforms in place, your security teams will be able to maintain strong communication and documentation without needing to spend a huge amount of time on it.
This is another essential component of security orchestration, and we’re not being hyperbolic when we say that having these processes in place can absolutely be the difference between smooth sailing and a catastrophic data breach.
When you get security orchestration right, your operational security teams will enjoy massive time and efficiency savings. And that’s before you even start to think about automation.
But, crucially, orchestration is not something you do once and forget about. In order to gain maximum benefit, you need to continually refine processes (and integrate any new technologies) to ensure every incident or alert is being dealt with in the best way possible.
If you can do this consistently, your security function will only grow stronger over time. And once you have orchestration under wraps, you’re ready to start thinking about automation.
Coincidentally, that’s exactly what our next post will cover. Until then.