Security Orchestration

Real Life Security Operations

During the last decade or so most large organizations have built a Security Operations Center (SOC) to deal with ever-expanding security challenges and growing alert numbers. People, processes and technology are the three pillars of an organization’s SOC. While responding to a security incident, SOC teams require all of the above in a complicated mix and match scenario to be successful. Failure to integrate people, processes and technology can doom a security program

Security Operations

What is Security Orchestration?

Security orchestration involves interweaving people, processes, and technology in the most effective manner to strengthen the security posture of an organization. By streamlining security processes, connecting disparate security tools and technologies, and maintaining the right balance of bot powered security automation and human intervention, security orchestration empowers security professionals to effectively and efficiently carry out threat hunting and incident response.

The Need for Security Automation and Orchestration

Over the past few years, the number of incidents which cyber security professionals must respond to has increased dramatically.Let us cite the source for this (even better if the source is our state of incident response report). Providing 100-percent coverage would require a sufficient number of analysts to evaluate that many incidents daily. Without adequate staffing, statistics have proven that the organization can be severely affected by incidents that security teams can’t address in time.

Given the current shortage of qualified cyber security professionals, however, few organizations can recruit and retain a large enough staff to deal with the volume of incidents that they face. Instead, companies are turning to security automation and orchestration to bolster their defenses.

View Infograpic

Is Security Orchestration just a ‘sexy’ word for Security Automation?

Since it has become increasingly common in the industry to use the terms “security automation” and “security orchestration” interchangeably, we did some research with the goal of defining three different terms – “Security Automation”, “Security Orchestration” and “Security Workflow”. We sent a bunch of emails, made lots of phone calls to customers, prospects and colleagues,  and read whatever material was available out there. What we found was quite interesting:

1

None of the customers and prospects clearly see the difference between security orchestration and security automation. They all understand the value that products in this space intend to deliver but the crowded market and the buzzword bingo that we are all part of result in a lot of confusion.

2

The Customers have different requirements or ‘wishes’ in this space. Some of these requirements are very well defined, but others are not indicating that a gap exists in what is available to them and what is needed.

3

Many cybersecurity professionals consider security orchestration as simply the latest buzzword for security automation or the latest phase of security automation. Security a Automation is certainly part of the solution. However, security automation alone is not enough.

Security automation can provide complete visibility, triage events, connect the dots,  and automate workflow processes. Effective automation of routine tasks increases the productivity of your staff members; automation is much more efficient than asking your people to handle tasks manually. But to do their jobs properly, analysts need a comprehensive, single-pane security orchestration platform to achieve the proper balance between human intuition and automation.

Read The Orchestration Requirements

Makings of a True Security Orchestration Platform

A comprehensive Security Orchestration Platform should be able to automate security product tasks, create playbooks with complicated logic, and  track and orchestrate tasks assigned to analysts. In reality, most of the vendors in this space have failed to deliver a solution that encompasses the whole of security operations. The reason is, it is not about simply automating individual security tasks, or about creating a playbook of security tasks with logic. It is about weaving the human analyst into the middle of these workflows and playbooks.

A security automation and orchestration platform must solve the challenges of detecting and responding to incidents. To do that effectively, it must have following components:

Read the technical paper

Security Automation and Orchestration: Budgeting and ROI

Today’s organizations spend a significant amount of time and money on ecosystem technologies that could help them reduce risk. However, these solutions run in silos and don’t move as a collective whole. Despite their efforts, measuring the effectiveness of a security system is often very hard from the perspective of the “business”.

As the number of security products continues to increase, CISOs will face an ever-changing list of vendors offering new takes on the world of cybersecurity. At the same time, CISOs are going to be held increasingly accountable for their purchases. CEOs, CFOs and most other C-suite executives want to see “hard numbers” that explain exactly what they are getting for the money they are spending. However, security does not lend itself to the metrics that are typically used to justify capital expenditures. Most of the benefits delivered by security products are intangible.

A security automation and orchestration platform serves as a hub that connects all security products. This allows a security scorecard to be built for incident response functions. CISOs can then use the scorecard to make informed decisions about budget allocations for various security products. The scorecard also provides valuable, organized information that can be used to justify expenditures or allocations to those who may need to issue the final approvals.

ROI of Security Orchestration Platform