By Abhishek Iyer, Technical Marketing Manager, Demisto
Since security orchestration is still an evolving space with competing definitions and maturing feature sets, there are some misconceptions that exist about its scope of use, consequences, and effort required in deployment. Is orchestration the same thing as automation? Can everything be automated?
These are some myths about security orchestration that I’d like to address. These myths don’t quite reach the heroic scales of Hercules and the Nemean Lion but are interesting and insightful nonetheless.
Security Orchestration Will Replace Your Security Teams
“Automation” always has a negative connotation with respect to job replacement and removal of the human element. But insecurity orchestration’s case, nothing could be further from the truth. Security orchestration aims to achieve a balance between machine-powered automation and human-powered decision-making to improve security operations.
In an ideal security orchestration process, only the tasks that are repetitive, time-consuming, and not intellectually stimulating will be automated. Any action that requires further human investigation or approval – whether through email response, task approval, or collaboration – will be open for security teams to weigh in.
Any Technology with Playbooks is Security Orchestration
As with any new industry term that gains adoption and market buzz, security orchestration’s rise has led to a cavalcade of vendors attaching the ‘security orchestration’ name to their products, whether genuine or not.
Here are some tips on separating true security orchestration from the rest of the bandwagon:
The scope of use: If a security orchestration tool is narrow in its scope of focus (for example, just dealing with phishing response), then it’s not a true security orchestration tool. Security orchestration is defined by its general-purpose nature and execution across a wide range of use cases.
Extensible integrations: A security orchestration tool is only as strong as its partner integration network. If a vendor builds a security orchestration product-line extension just to strengthen its initial products and limiting other integrations, such a product doesn’t align with security orchestration’s true tenets.
Flexibility: Out-of-the-box, vendor-provided content such as playbooks, automation tasks, and product integrations should just be the foundation instead of the whole building. Users should be free to build their own combination of automated and manual tasks, custom playbooks, in-house integrations, and more.
Security Orchestration and Security Automation are the Same Things
While educating users on new technologies, people in the industry sometimes enthusiastically – and incorrectly – interchange the terms “security orchestration” and “security automation.”
Security automation is making machines do task-oriented ‘human work.’ Security orchestration is executing the interconnectivity of different products (both security and non-security) and automating tasks across products through workflows, while also allowing for end-user oversight and interaction.
Security automation is a subset of security orchestration. Security orchestration involves a combination of people, processes, and technology to improve an organization’s security posture. Security automation is more focused on the ‘technology’ aspect of the aforementioned trio.
Security Orchestration is Only Meant for Large Enterprises
Since security orchestration involves the coordination of actions across multiple security products, there’s usually a presupposition that only large enterprises with well-defined SOCs and a wide range of products will extract value out of security orchestration. But with a 2018 Verizon report claiming that 58 percent of data breach victims are small businesses, the need for a repeatable and automated incident response is apparent irrespective of company size.
Even SOCs with 3-5 security analysts and a handful of tools can benefit from security orchestration through well-defined processes, increased team productivity, and setting the SOC up for eventual scale. Smaller firms can also avail Managed Security Service Providers (MSSPs) to oversee their security posture, where security orchestration tools can provide a valuable console for collaboration and data centralization.
Every Security Process can (and should) be Automated
“Automate or Die” is a pithy, marketing-friendly way to convey the urgency and need for automation, but it incorrectly paints the situation in black and white. Not every security process and action can (or even should) be automated.
Some tasks will continue to be too sensitive for unsupervised automation and will have manual approval processes baked in. Some tasks will continue to be too sophisticated and nuanced for machine execution and will be performed by security teams. For that high-quantity, repeatable tasks however…bring on that automation!
Just Deploying a Security Orchestration Tool Will Solve My Security Problems
Security orchestration is not an end-state but a journey of constant flux and churn. After the initial deployment of security orchestration tools, organizations need to iterate and keep tweaking elements of their security outlook such as:
- Verifying the effectiveness of playbooks and making them more concise or descriptive according to requirements
- Adding new security tools and removing existing security tools from the product stack
- Conducting regular process audits and search for currently manual processes that can be automated with time
- Creating and reviewing dashboards for specific security analysts, alert types, and product integrations to measure what’s good and what can be made better
Security Orchestration is Only for Response Processes
Since security orchestration is usually touted as a solution to deal with rising alert volumes, it’s easy to perceive orchestration’s value being limited to response processes. But some benefits of security orchestration also transfer over to proactive and scheduled processes that security teams otherwise don’t have the time to perform.
Security orchestration playbooks can usually be scheduled to run at pre-determined time intervals and, for example, conduct health checks on organizational endpoints or verify the presence of systemic vulnerabilities. Playbooks can also be run in real-time too, for instance, execute threat hunting operations across user environments after some malicious indicators were detected in a separate alert.
The bottom line is security orchestration’s value is contingent on organizational need and the process itself more than the method of deployment. Don’t be afraid to dive in and let the automation begin. It’ll end up making a small team’s effort look like an army.
About the Author
Abhishek Iyer is Technical Marketing Manager at Demisto, a cybersecurity startup with a mission to make security operations “faster, leaner, and smarter.” Prior to Demisto, Abhishek has worked in strategy and marketing roles across four industries. Abhishek holds a BE in Electronics Engineering, an MBA, and an MS in Marketing. He is on the Marketing Advisory Board for Purdue and been a freelance writer for 8 years with a focus on technology, soccer, and gaming. Abhishek can be reached online at https://www.linkedin.com/in/abhishekiyer5225 and at our company website www.demisto.com.