How Security Orchestration and Automation Helps You Work Smarter and Improve Incident Response

Posted byJulie Tillyard - 25th Sep 2018
security automation and orchestration

We’ve been witnessing the continual transformation of the cyber security ecosystem in the past few years. With cyber attacks becoming ever-more sophisticated, organizations have been forced to spend huge amounts of their budgets on improving their security programs in an attempt to protect their infrastructure, corporate assets, and their brand reputation from potential hackers.

Recent research, however, still shows that a large number of organizations are experiencing an alarming shortage of the cyber security skills and tools required to adequately detect and prevent the variety of attacks being faced by organizations. Protecting your organization today is a never-ending and complex process. I am sure, like me, you are regularly reading many cyber security articles and statistics detailing these alarming figures, which are becoming more of a daily reality.

Many organizations are now transitioning the majority of their efforts on implementing comprehensive incident response plans, processes and workflows to respond to potential incidents in the quickest and most efficient ways possible. But even with this new approach, many experts and organizations alike express concerns that we will still be faced with a shortage of skilled labor able to deal with these security incidents, with security teams struggling to fight back thousands of potential threats generated from incoming security alerts on a daily basis.

With so many mundane and repetitive tasks to complete, there’s little time for new strategies, planning, training, and knowledge transfer. To make things worse, security teams are spending far too much of their valuable time reacting to the increasing numbers of false positives, to threats that aren’t real. This results in spending hours, even days on analyzing and investigating false positives, which leaves little time for the team to focus on mitigating real, legitimate cyber threats, which could result in a serious and potentially damaging security incident. Essentially, we need to enable security operations teams to work smarter, not harder; but is this easier said than done?

How does security orchestration and automation help security teams?

With this in mind, organizations need to find new ways combat these issues, while at the same time add value to their existing security program and tools and technologies being used, to improve their overall security operations performance. The answer is in the use of Security Orchestration, Automation and Response (SOAR) technology.

Security Orchestration, Automation, and Response SOAR solutions focus on the following core functions of security operations and incident response and help security operations centers (SOCs), computer security incident response teams (CSIRTs) and managed security service providers (MSSPs) work smarter and act faster:

  • Orchestration – Enables security operations to connect and coordinate complex workflows, tools and technologies, with flexible SOAR solutions supporting a vast number of integrations and APIs.
  • Automation – Speeds up the entire workflow by executing actions across infrastructures in seconds, instead of hours if tasks are performed manually.
  • Collaboration – Promotes more efficient communication and knowledge transfer across security teams
  • Incident Management – Activities and information from a single incident are managed within a single, comprehensive platform, allowing tactical and strategic decision makers alike complete oversight of the incident management process.
  • Dashboards and Reporting: Combines of core information to provide a holistic view of the organization’s security infrastructure also providing detailed information for any incident, event or case when it is required by different levels of stakeholders.

Now let’s focus on the details of these core functions and see how they improve the overall performance.

Orchestration

Security Orchestration is the capacity to coordinate, formalize, and automate responsive actions upon measuring risk posture and the state of affairs in the environment; more precisely, it’s the fashion in which disparate security systems are connected together to deliver larger visibility and enable automated responses; it also coordinates volumes of alert data into workflows.

Automation

With automation, multiple tasks on partial or full elements of the security process can be executed without the need for human intervention. Security operations can create sophisticated processes with automation, which can improve accuracy. While the concepts behind both security orchestration and automation are somewhat related, their aims are quite different. Automation aims to reduce the time processes take, making them more effective and efficient by automating repeatable processes and tasks. Some SOAR solutions also applying machine learning to recommend actions based on the responses to previous incidents. Automation also aims to reduce the number of mundane actions that must be completed manually by security analysts, allowing them to focus on a high level and more important actions that require human intervention.

Incident Management and Collaboration

Incident management and collaboration consist of the following activities:

  • Alert processing and triage
  • Journaling and evidentiary support
  • Analytics and incident investigation
  • Threat intelligence management
  • Case and event management, and workflow

Security orchestration and automation tools are designed to facilitate all of these processes, while at the same making the process of threat identification, investigation and management significantly easier for the entire security operations team.

Dashboards and Reporting

SOAR tools generate reports and dashboards for a range of stakeholders from the day to day analysts, SOC managers, other organization departments and even C-level executives. These dashboards and reports are not only used to provide security intelligence, but they can also be used to develop analyst skills.

Human Factor Still Paramount

Security orchestration and automation solutions create a more focused and streamlined approach and methodology for detection and response to cyber threats by integrating the company’s security capacity and resources with existing experts and processes in order to automate manual tasks, orchestrate processes and workflows, and create an overall faster and more effective incident response.

Whichever security orchestration and automation solution a company chooses, it is important to remember that no one single miracle solution guarantees full protection. Human skills remain the core of every future security undertaking and the use of security orchestration and automation should not be viewed as a total replacement of a security team. Rather, it should be considered a supplement that enables the security team by easing the workload, alleviating the repetitive, time-consuming tasks, formalizing processes and workflows, while supporting and empowering the existing security team to turn into proactive threat hunters as opposed to reactive incident investigators.

Humans and machines combined can work wonders for the overall performance of an organization’s security program and in the long run allows the experts in the team to customize and tailor their actions to suit the specific business needs of the company.

Finally, by investing in a SOAR solution for threat detection and incident response, organizations can increase their capacity to detect, respond to and remediate all security incidents and alerts they are faced with in the quickest possible time frames.