When looking at any security team, one thing you might notice is that there is a tool for everything. And we do mean everything: ticketing, threat intelligence, security investigations, malware analysis, detection, incident response, advanced persistent threats, security monitoring… the list goes on.
Every organization wants the best of the best to build their defenses. This can often leave their security teams and security operations centers with a toolstack of uncooperative solutions that don't communicate with one another, with their full value remaining untapped, and they can interrupt or even cancel each other out. The team becomes paralyzed by the sheer number of alerts generated by these solutions, losing time that could be spent on contextualized investigation and response.
We often cite alert fatigue as a common challenge in SOCs, and with good reason. Nobody likes alerts, because whether it's a fire alarm, car alarm, or alarm for any other kind of emergency, it signals to us that a real threat is present. But after hearing alerts time and time again, all we hear is the boy who cried wolf. We downplay these alerts because we've spent so much of our precious time combing through them, only to reveal themselves as fake. In SOC terms, this leads to real threats being missed, often to devastating consequences.
There is a solution. That solution is connecting the tools that security teams run, to communicate with each other and do away with the tedious, time-consuming tasks that have a high potential for human error. Streamlining the process with which tools are used helps to keep security professionals from losing any of their precious time.
Security orchestration addresses the number of different tools used by security teams. It brings these tools together to work with one another, bringing out the full value of each and allowing teams to more effectively respond to threats.
- What is security orchestration?
- What can we use security orchestration for?
- Benefits of security orchestration
- SOAR - Security orchestration, automation and response
What is security orchestration?
While we've spoken about security automation and how it differs from security orchestration, the terms are used almost interchangeably. It's important to know that even if they sound similar, they each hold a different meaning and purpose.
Let's reiterate: security automation is the automatic execution of security tasks without human intervention, and is focused on single tasks that usually follow an already established course of action. Security orchestration, on the other hand, considers the use of multiple automated tasks, and connects the technologies, tools and processes, streamlining the security process and allowing for protection combined with ease of implementation and use.
With all this in mind, we can see that automation actually takes in the more complex tasks that security orchestration involves, and that security orchestration is actually the enabler of automation.
Security Orchestration refers to tools and solutions that are able to work together, communicate, share and export data in an intuitive and easy way, without interrupting or canceling each other out, and streamlining the security process which allows each tool to be used to its full potential.
Most network threats can be caught and prevented without the need for human intervention. While in an ideal world, all solutions would come from a single vendor (making the security orchestration process much easier), that's not often the case. As we said earlier, organizations want the best tools to build their defenses with, and that often entails going to different vendors and utilizing different open source solutions. Security orchestration is more challenging when we have that kind of disparate tool situation, but should work seamlessly nonetheless.
Security orchestration presents a solution to some of the more ruinous problems that security teams face:
Alert fatigue: The rising number of alerts generated by the many different tools used by SOCs can lead to alert fatigue, which can compromise organizational defenses. Real threats can be ignored, with too much time spent combing through false positives.
Increase of solutions and tools: Every security team uses a lot of different tools and solutions. Besides the alert fatigue that stems from false positive alerts, this abundance of tools means analysts spend a lot of time jumping from screen to screen and correlating data manually, which lowers efficiency.
Talent shortage: When hiring the perfect fit for your security team, you spend time finding them, training them and hoping to use their skills to their full potential. So you wouldn't want them to spend their valuable time and expertise on tedious, repetitive tasks, would you?
Security orchestration can be applied to almost all tasks, but let's go through a few specific scenarios to see where it shines the most.
What can we use security orchestration for?
There are numerous use cases for security orchestration, different needs it can fulfill, and a few ways it can work to its full potential:
Cybersecurity alerts need to be combed through and sorted, and context is everything. You can't do anything with an alert without context. When a security team receives an alert of any suspicious behaviour, they can't tell much about it without investigating and looking through alerts, finding patterns, and more. Manual triaging is limited, tiresome, and leaves space for human error. That's where security orchestration comes in!
Security orchestration solutions and platforms allow security teams to apply context quickly. They do this by drawing relevant data from numerous sources and enriching the alerts that are received. This allows the team to focus on deeper investigations and the remediation of security issues and real threats.
Security teams often focus more time responding to alerts than engaging in proactive threat hunting and malware analysis. And while yes, threat hunting is always present, going over multiple threat intelligence feeds, correlating data to draw conclusions, and catching threats before they wreak havoc on their internal IT infrastructure is a time-consuming process. It can't always be completely automated, because some tasks still need human intervention.
So what is the answer? Employing a security orchestration platform to deal with those tasks that don't need the analysts' undivided attention. A security orchestration tool is able to bring in threat data from numerous sources, can attach the relevant threat intel to specific incidents, and make intelligence easily available to analysts while threat hunting.
Alert handling and threat hunting come together in the final, and often the most important, security operation that benefits from security orchestration. Security incident response teams have a tough job, as a lot of incidents and threats are discovered sometimes even months from the initial exploit and entry, and some are never discovered even after many years.
Incident response consists of alert triage, analytics, security incident investigation, threat intelligence, and more. To truly be proactive about incident response, we have security orchestration to help. Security orchestration helps incident response teams in all of the above stated processes, facilitates them and makes them available from a unified place. This allows for more strategic decision-making and clearer oversight on the entire incident response process.
Benefits of security orchestration
By reviewing the use cases for security orchestration, we can easily draw conclusions about its benefits. But to truly understand its value, we should take a look at its most frequently cited benefits.
Reduced response time
Security orchestration connects disparate tools and solutions. They share data, allowing for quicker and easier access to relevant intel, which in turn results in faster and more efficient incident response.
Going beyond mere analysis, a security orchestration platform can be configured to respond to different ranges of security incidents. Incidents can be interrupted before causing any real damage, and even if a device in the network has been infected, these platforms can isolate it from the rest of the network, as well as blacklist domains, and more.
All of this means security teams and SOCs aren't required to respond to each incident manually, leaving them more time to focus on strategic approaches to security issues and risks.
Streamlined investigative process
In a previous post, we touched upon cyber crime investigations and the techniques used for it. The investigative process involves a background check, information gathering to understand whether the attack is automated or targeted, assessing the scope of the incident, identifying open vulnerabilities, determining if cyber crimes were committed, and searching for evidence. Once the data is collected, the affected systems must be examined, as well as any that might have been involved in the origin of the attack.
Many of these steps can be automated, but some will require human intervention. For those cyber investigation tasks that can be automated—they should be. Background checks, information gathering, checking for vulnerabilities, installing patches, detecting types of malware and the like can all save security analysts' time and organizations' money if automated and improved with security orchestration.
Different types of cyber crime, security breaches, data breaches and all those incidents we like to think won't happen to us (even if many of them eventually do) are constantly on the rise. However, there are certain steps that can be taken to mitigate and contain an incident if a breach occurs.
Security orchestration solutions can help prioritize remediation based on areas that pose greater risks, create better informed plans for improvement after the incident has taken place and even measure the success of the entire process, without requiring the use of numerous security tools.
Contextualized security alerts
And we're back to those pesky security alerts. Once again, context is everything: an alert without context is just that, an alert that isn't actionable. Context in the context of security alerts (see what we did there?) relates to the circumstances that surround it—information regarding what, how, where, and who.
This information needs to be available to security teams without them having to go through so many different tools, getting frustrated when switching between so many screens, and losing their focus in the face of potentially real and devastating security threats. Fortunately, security orchestration informs their next step in handling security alerts, letting them focus on what really matters, rather than on Shodan scanning your network.
Improved team collaboration
However, security orchestration isn't only about connecting disparate tools. In cybersecurity, it's all about people, processes and technology. Here we are now with a benefit for the people themselves. Security incidents often go through escalation from support to security teams, security managers, CISOs, CTOs, and others in the chain.
Each of these levels uses its own apps and solutions to go through a reporting and communication process, so it's easy to see how information can be hard to understand. Traversing all of these sources to access information can be tedious, and dampens the collaborative spirit needed to respond to real security threats.
With the visibility of security orchestration and the accessibility of crucial information gathered in a single solution, the appropriate team or person can resolve an incident much more quickly. This type of solution allows for better collaboration as well, as team members are privy to the same information and can work together to fight cyber criminals and other malicious attackers.
Coming back full circle, we return to one of security orchestration's main benefits. That is, of course, the easy integration of all existing tools and solutions. When firewalls, IDSs, threat intelligence and any other tools used by security teams come from different vendors (and they almost exclusively do), that just screams incompatibility. Analysts will have to deal with each individual tool to piece the data together. The worthwhile alternative is to let security orchestration piece it together for you.
With all the tools' functionalities gathered in a single place, analysts are freed up toward getting actionable results, and resources can be directed to those tasks that require human intervention and the critical thinking only your team can provide.
SOAR - Security orchestration, automation and response
When talking about security orchestration, there's no way we can leave out SOAR. It's in the name! SOAR stands for security orchestration, automation and response. These factors drive the entire concept of security orchestration.
The term SOAR describes three software capabilities defined by Gartner:
- Threat and vulnerability management - Orchestration
- Security operations automation - Automation
- Security incident response - Response
Gartner also identifies three key areas where SOAR solutions add value:
- Prioritizing security operations activities
- Formalizing triage and incident response
- Automating response
SOAR solutions allow organizations to collect threat intel and automate security operations and incident response to lower-level threats, as those with more potential for disruption are best left to human intervention. SOAR's solution stack consists of programs and technologies and combines automation and orchestration; automation is concerned with making the process of discovering and responding to threats faster, and orchestration makes it more efficient.
Put simply, SOAR platforms integrate tools, systems and applications within an organization. This allows the compatible tools to work together to collect threat data, prioritize and automate incident response operations along with the entire workflow. So how do they do it?
A SOAR solution will gather alert data from each platform, then source and group them in a one place for further investigation. Then the data goes to case management where it's researched and assessed, along with other relevant investigations taking place in a single case. Response to threats and the steps in that process are fully automated and can be executed from within the platform itself, taking care of the most time-consuming, tedious and manual tasks and fulfilling the real intent behind security orchestration.
SOAR solutions also help automate incident response, threat hunting and remediation. It basically ticks off all of the boxes in security orchestration use cases.
With security automation, and now with security orchestration, we have now circled some of the pillars of modern enterprise and its overall security approach. As we've said before, automation is all around us, and if we've found ways to automate even the most mundane of tasks in our everyday lives, why shouldn't we do the same with security and security operations?
Security orchestration has gone a step further and filled some of the gaps left by automation. If we automate tools, we need to make sure they work together! Because what are all these cutting-edge tools worth if we're not using their full potential? It's on us to leverage them, to make sure our security infrastructure and cyber defenses are as strong and resilient as they can be.