Security Orchestration in 4 Simple Steps
by Robert Bond
According to top research firm Gartner, enterprise security spending in 2017 reached an alarming $86.4 billion. This is forecasted to increase by at least $7 billion or nearly 10% in 2018. Indeed, information security has become a major investment for private and public enterprises alike. Information security is no longer an option; it has become a necessity.
Security Investments Wasted?
The reality is that information security remains compromised despite the massive investments that organizations have made in their programs.
Consider a typical scenario for a business with both online and physical presences. Such a business would invest in security systems that protect their e-commerce platform, user database, POS systems, operations software systems, and more. These have specific security needs that require the implementation of a variety of security tools and processes. Further, the team of security specialists managing the technology and processes is growing as well.
Even with this type of investment in an information security program, according to the Verizon DBIR, it typically takes a total of 257 days, on average, to detect and contain a security threat.
Manpower is an issue. Dedicated security teams often lack qualified team members. With daily security breaches, man hours go into manually filtering between false positives and real threats across a variety of implemented security tools. This is a tedious process, at best; one that compromises prompt threat detection and response.
This is such a common scenario among security teams that there’s a term for it: alert fatigue.
Among C-level security executives surveyed in 2017, 37% said that of the more than 10,000 security alerts received each month, 64% are redundant while 52% are false positives.
The CISCO 2017 Security Capabilities Benchmark Study pegs the numbers at a higher 5,000 daily security alert average; while security teams remain undermanned and limited to investigating a mere 56% of these.
These reports point to security teams that are overwhelmed with alerts and lack the power to be effective at their jobs. This is not what you want; and, certainly, it is not the ideal in a progressively challenging information technology landscape.
The ideal security teams and systems are efficient and quick to respond. Tools and processes are managed effectively; and there is a streamlined task flow from detection to threat response and remediation.
Surely, there is a way to cut through the tedious task of assessing each security alert to filter between real threats and false positives. This is where much of the backlog lies. It is what compromises the speed of developing viable solutions.
What is Security Orchestration?
Security orchestration refers to the integration of a variety of security systems, to streamline security processes and implement effective security automation.
Security orchestration is an effective response to many of the haphazard approaches used today. Security processes become more efficient once security tools are integrated. Your team can be more agile even as the technology they manage increases. It is important to know what security orchestration is, the steps you need to take in order to achieve it, and how your business can benefit.
Research firm Gartner came out with a report towards the end of 2017, which calls for the adoption of security orchestration. In the report, they called for business leaders to start investing in Security Orchestration, Automation and Response (SOAR) technologies.
They say that “SOAR supports multiple activities for security operations decision making such as: prioritizing security operations activities; formalizing triage and incident response; and automating containment workflows.”
The report sees a 15% increase in the use of SOAR technologies among businesses with at least 5 security employees by the end of 2020. The increase is a five-fold leap from what is estimated to be less than a 1% investment in security orchestration types of technologies that are used today.
You need security orchestration when your security team constantly deals with:
- Too many alerts, too little time
As suggested, alert fatigue is real, and it compromises the efficiency of security response and fix/patch development. When every alert or security event needs to be manually filtered and assessed; your team is likely overworked and ineffective in spotting malicious attacks quickly enough to prevent damage. Security orchestration provides you with integrated analytics tools that allow you to implement contextual filters – leaving you with higher quality alerts.
- Lack of alert prioritization
Not all alerts are the same. Some are benign alerts while others merit immediate attention. In many cases, man hours are wasted on low-level alerts while more important ones are left unanswered.
- Alerts that lack context
The speed of processing through alerts can be increased when these alerts include contextual information. Security orchestration can help you effectively integrate external and internal security data sources so you can assess and prioritize real threats faster.
- Alerts that are limited to real-time events
Uncoordinated security systems are often limited to monitoring real-time malicious activities. It will benefit your security efforts to be able to anticipate these activities before they even start. This requires a proactive approach to threat assessment, one that considers history and previous trends.
- Alerts that are limited to your network data
The integration of both internal and external security data sources is essential when you want to filter through benign security events and respond to more important ones. You can’t do this if your security system has blinders on.
Security Orchestration Benefits
There are clear benefits from implementing SOAR – or security orchestration, to start with. These benefits are guaranteed to improve your security team’s and systems’ responsiveness to real threats.
Automation is key to freeing up man hours and making sure your security team deals with real threats in a timely manner. Through security orchestration, you can effectively automate repeatable threat analysis and containment tasks. This way, your team spends their time on more urgent and complex security issues.
By integrating various security data sources (from your security tools and IT asset database to external sources, such as threat intel feeds), you can assign risk levels for your operational activities. Your security team is then alerted and can assess top level risk activities in a timelier manner.
Implementation of an incident triage and response workflow
When security team members are on the same page concerning alerts, risks, and required actions, they become more responsive and effective in their jobs. This is possible when you implement a formal incident triage and response workflow through security orchestration.
Effective Security Orchestration in 4 Simple Steps
There are several technologies that aid in adopting security orchestration. These technologies allow you to integrate your security tools, improve automation and incident management, respond, and generate actionable reports.
Achieving improved security is a process. With security orchestration made simple, you can begin your efforts with 4 easy steps:
Security orchestration step 1: Automate repetitive assessment and remediation tasks
This results in saved man hours. Time is spent on assessing and fixing higher level threats rather than bi-weekly patching, upgrading systems, or generating arbitrary reports. Organizations immediately experience returns, in terms of task efficiency and ultimately in more effective defense.
The SIEM tools that provide real-time analysis of security alerts become more effective such that select post-alert queries can be automated; instead of the current approach wherein these are immediately assigned to human analysts for further investigation.
According to Gartner’s Preparing Your Security Operations for Orchestration and Automation Tools report: “SIEM tools are… limited in their ability to query additional data sources and verification services after an initial set of conditions is met. The usual approach is to do as much as possible with that set of conditions and then provide the alert to an analyst for triage, where those additional queries take place.”
“The ability to automate post-alert queries, such as submitting indicators of compromise (IOCs) to IT services or even artifacts to external sandboxes, allows organizations to implement more threat detection use cases with a high number of initial alerts….The automated triage by SOAR effectively acts as the remaining stages of the multistage detection process.”
Security orchestration step 2: Implement an incident assessment and response workflow
There are several processes that go into alert triage, assessment and response, which in most cases are recorded as part of operational management or to fulfill compliance requirements. While these can qualify as workflow, it is still more commonly used as an informal guide for security analysts.
In a reality where incidents of threats and breaches compound daily, it is an ineffective use of helpful data. According to the Gartner’s SOAR report: “…Most of them will quickly realize that a system capable of recording the data in a structured format, usually while controlling the process workflow, is required to handle the increasing volume and complexity [of alerts].”
Security orchestration is a way to move these security tools into a more central role. As said in the SOAR report: “The process workflow documented in the tool is no longer used only as guidance to the analysts. O&A moves these tools to an active role in performing tasks of those processes, and occasionally the entire end-to-end process.”
Security orchestration step 3: Integrate internal and external threat intelligence resources
Your goal is to improve the quality of your security alerts, such that you can see potential issues from a mile away. It is then crucial that you use quality comprehensive threat intelligence resources.
Internally, you have your historical data, which can help pinpoint risky activities and move your team to respond fast, with little to zero damage.
Externally, you can turn to several publicly available reports for intel on threats and security risks. The US-Cert reports, for instance, contain network-based indicators and select contextual data. This information has been crucial in the detection of c2 nodes, which are indicative of malware in systems. There are also the DHS/FBI, .gov, and commercial threat reports, among others.
Security orchestration step 4: Monitor, assess, and repeat
It is unlikely that you get the optimum calibration for your security orchestration correctly right away. It takes time, and a few missed calls/alerts. Monitor your system and assess areas for improvement. Repeat and fix where necessary.
Recall the OODA (observe, orient, decide and act) loop, a decision-cycle strategy developed by US Air Force Colonel John Boyd. When applied to security orchestration, you become more agile and responsive to the threats and challenges that come your way.
Security orchestration has evolved alongside today’s more elaborate enterprise systems, massive data and persistent security threats. With a platform that allows a more efficient management of security tools, information and systems and an implementable process workflow, you get higher-quality alerts that teams can respond to more effectively.
The benefits of implementing security orchestration to your enterprise security systems are clear and achievable. And, this is what you should strive for when you want to stay competitive in the near future.
The next step to better business, more secure information, and a sturdier defense to compounding threats and security risk is security orchestration.
May 21, 2020