Real Life Security Operations
During the last decade or so, most large organizations have built a Security Operations Center (SOC) to deal with ever-expanding security challenges and growing alert numbers. People, processes, and technology are the three pillars of an organization’s SOC. While responding to a security incident, SOC teams require all of the above in a complicated mix and match scenario to be successful. Failure to integrate people, processes, and technology can doom a security program.
What is Security Orchestration?
Security orchestration involves interweaving people, processes, and technology in the most effective manner to strengthen the security posture of an organization. By streamlining security processes, connecting disparate security tools and technologies, and maintaining the right balance of bot powered security automation and human intervention, security orchestration empowers security professionals to effectively and efficiently carry out threat hunting and incident response.
Is Security Orchestration just a ‘sexy’ word for Security Automation?
Since it has become increasingly common in the industry to use the terms “security automation” and “security orchestration” interchangeably, we did some research with the goal of defining three different terms – “Security Automation”, “Security Orchestration” and “Security Workflow”. We sent a bunch of emails, made lots of phone calls to customers, prospects and colleagues, and read whatever material was available out there. What we found was quite interesting:
None of the customers and prospects clearly see the difference between security orchestration and security automation. They all understand the value that products in this space intend to deliver but the crowded market and the buzzword bingo that we are all part of result in a lot of confusion.
The Customers have different requirements or ‘wishes’ in this space. Some of these requirements are very well defined, but others are not indicating that a gap exists in what is available to them and what is needed.
Many cybersecurity professionals consider security orchestration as simply the latest buzzword for security automation or the latest phase of security automation. Security Automation is certainly part of the solution. However, security automation alone is not enough.
Makings of a True Security Orchestration Platform
A comprehensive Security Orchestration Platform should be able to automate security product tasks, create playbooks with complicated logic, and track and orchestrate tasks assigned to analysts. In reality, most of the vendors in this space have failed to deliver a solution that encompasses the whole of security operations. The reason is, it is not about simply automating individual security tasks, or about creating a playbook of security tasks with logic. It is about weaving the human analyst into the middle of these workflows and playbooks.
A security automation and orchestration platform must solve the challenges of detecting and responding to incidents. To do that effectively, it must have following components: