The terms security automation and security orchestration are often used almost interchangeably nowadays in the IT ecosystem. But it’s very important to note that these terms have completely different meanings and purposes. The aim of this blog is to discuss the core differences by explaining what these terms mean exactly, what their functions are and how they can be used within an IT context.
When automation emerged in the security field, it became a crucial asset for security teams that were already exhausted from time-consuming, repetitive, low-level tasks. Orchestration was the next step for better time and resource management for teams, as it helped professionals respond to issues faster, and prioritize important tasks with defined and consistent processes and workflows.
Security orchestration vs. security automation – the difference
When we speak about automation, it’s often wrongly assumed to mean automating an entire process, which is not always correct. The proper definition of security automation is setting a single security operations-related task to run on its own, without the need for human intervention (or a task could be semi-automated if some form of human decision is required).
On the other hand, orchestration, in essence, refers to making use of multiple automation tasks across one or more platforms. This means that automation tasks are part of the overall orchestration process, which covers larger, more complex scenarios and tasks. With this being said, we can say that orchestration means the automated coordination and management of systems, middleware, and services. Security orchestration uses multiple automated and semi-automated tasks to automatically execute a complex process or workflow, and these can consist of multiple automated tasks or systems.
Security Orchestration aims to streamline and optimize repeatable processes and ensure correct execution of tasks. Anytime a process becomes repeatable and tasks can be automated, orchestration can be used to optimize the process and eliminate redundancies.
Automation and orchestration can be best understood by differentiating between a single task and a complete process. Automation only handles a single task, while orchestration makes use of a more complex set of tasks and processes. When a task is automated, it speeds things up, especially when it comes to repeating basic tasks. But optimizing a process is not possible with simple automation, as it only handles a single task. A process is not limited to a single function, so optimization is only possible with orchestration. If done right, orchestration achieves the main goal of speeding up the entire process from start to finish.
By now, we believe you’re aware of the core difference of security automation vs security orchestration, but bare in mind that these two are not completely inseparable and are used in conjunction with each other. As we’ve been discussing so far, security orchestration is not possible without automation. Now let’s go through the main benefits of both orchestration and automation:
Automation makes many time-consuming tasks run smoothly without (or with little) human intervention, thus allowing organizations to take a more proactive approach in protecting their infrastructure from increasing volumes of security alerts and potential incidents, which would take far too many man-hours to be able to complete.
The primary goal of orchestration is to optimize a process. While security automation is limited to automating a particular task, orchestration goes way beyond this. With automation providing the necessary speed to the processes, orchestration, on the other hand, provides a streamlined approach and process optimization.
What happens when these two work together?
- Better utilization of assets, allowing the organization to be more efficient and effective
- Improved ROI on existing security tools and technologies
- Increased productivity – all tasks are automated and orchestrated between themselves
- Reduced security analyst fatigue from alert and task overload
- Processes remain consistent due to standardization of activities.
Orchestration and automation work together to empower security teams, allowing them to be more effective, and ultimately focus on incident analysis and important investigations, rather than on manual, time-consuming and repetitive tasks. Having all of the tools to hand within a centralized, single and intuitive orchestration platform can only benefit your security operations team. This ultimately means more time for analysts and incident respondents to focus on issues that require a level of human intervention for a higher level of investigation for mitigation and remediation.
Both of these concepts: security automation and security orchestration relate to each other, and it’s often very difficult to differentiate between them. As we discussed in detail regarding this confusion, one last piece of advice would be to look at these in their fundamental difference, which lies in their varying individual goals. Automation is all about codification and orchestration is all about systematization of processes. The adequate differentiation between these two principles will help you to achieve a streamlined and accurate execution of your incident response processes and tasks.
In our first blog in this series, we looked at some of the key drivers for Security Orchestration, Automation and Response (SOAR) adoption and what problems SOAR technology can help solve. Now, let’s look at the 3 core pillars which define what a SOAR solution is: Orchestration, Automation and Measurement.
The Core Pillars of a SOAR Solution: Orchestration, Automation, and Measurement
The number of technologies involved in today’s advanced security and incident response programs is exponentially more than it was even five years ago. While this has become necessary to effectively detect and respond to the current range and complexity of today’s threats, it has created its own problem; coordinating these into one seamless process. Switching between these multiple technologies, what Gartner refers to as “context switching”, can create enormous inefficiencies in an organization’s security program.
Technology integrations are the most common method used to support technology orchestration. There are numerous methods which can be used to integrate technologies through a SOAR solution, including common communication mechanisms such as syslog and email, as well as more complex, bidirectional integration methods such as API calls. Although technology is typically the primary focus of orchestration, it is equally important to consider the orchestration of people and processes in a holistic security program. Technology should be supported by effective processes, which should enable people to respond appropriately to security events. A strictly technology-centric security program is no longer adequate; people and processes must also be orchestrated properly to ensure that a security program is operating at its maximum efficiency.
Although the concepts of orchestration and automation are closely related, the goals they seek to achieve are fundamentally different. While orchestration is intended to increase efficiency through increased coordination and decreased context switching to support faster, more informed decision making, security automation is intended to reduce the time these processes take by automating repeatable processes and applying machine learning to appropriate tasks.
The key to successful automation is the identification of predictable, repeatable processes which require minimal human intervention to perform. Automation should act as a force multiplier for security teams, reducing the mundane actions that must be manually performed and allowing analysts to focus on those actions which require human intervention. Although some processes may be fully automated, a SOAR technology solution must also support automation which allows for human intervention at critical decision points.
Because a SOAR solution sits at the crossroads of the incident response process, it is in an ideal location to collect a trove of information. Measurement of security information is key for making informed tactical and strategic security decisions. Proper measurement is what turns raw incident information into critical intelligence. Measurement of both tactical and strategic information is useless without proper display and visualization. A SOAR solution must support multiple methods for displaying and visualizing all information in an effective and easy to digest manner.
Stay tuned for our final blog in this series, where we will discuss the some of the critical components and functionality that a SOAR solution should contain. For more information on any of these topics, please check out our new whitepaper titled “Security Orchestration, Automation, and Response (SOAR) Technology” here.
Increasing Adoption of SOAR Solutions
Over the past several years, Security Orchestration, Automation and Response (SOAR) has gone from being viewed as a niche product to one gaining traction across almost all industry verticals. Today, more and more private organizations, MSSPs and governments are turning to SOAR Technology to address previously unsolved problems in their security programs. SOAR is about taking action: “Automate. Orchestrate. Measure”. Organizations are implementing a SOAR solution to improve their incident response efficiency and effectiveness by orchestrating and automating their security operations processes. Gartner estimates that by 2019, 30% of mid to large-sized enterprises will leverage a SOAR technology, up from an estimated 5% in 2015.
In this three-part blog, we will discuss the key drivers for SOAR adoption and what problems a SOAR solution can help solve. In the next blog, the second part of this three-part blog, we will discuss the three pillars of Security Orchestration, Automation and Response (SOAR). Finally, we will round out the series by discussing the critical components and functionality that a SOAR solution should contain.
Five Key Problems SOAR Technology Helps to Solve
Like many new product categories, Security Orchestration, Automation and Response (SOAR) technology was born from problems without solutions (or perhaps more accurately, problems which had grown beyond the point that they could be adequately solved with existing solutions). To define the product category more accurately, it is crucial to first understand what problems drove its creation. There are five key problems the SOAR market space has evolved to address.
- Increased workload combined with budget constraints and competition for skilled analysts means that organizations are being forced to do more with less
As the number and sophistication of threats has grown over the past decade, there has been an explosion in the number of security applications in the enterprise. Security analysts are being forced to work within multiple platforms, manually gathering desperate data from each source, then manually enriching and correlating that data. Although it may not be as difficult to find security analysts as it once was, a truly skilled security analyst is still somewhat of a rare breed. Intense competition for these skill analysts means that organizations must often choose between hiring one highly skilled analyst, or several more junior analysts.
- Valuable analyst time is being consumed sorting through a plethora of alerts and performing mundane tasks to triage and determine the veracity of the alerts
Even when alerts are centrally managed and correlated through a SIEM, the number of alerts is often overwhelming for security teams. Each one of these alerts must be manually verified and triaged by an analyst. Alerts which are determined to be valid then require additional manual research and enrichment before any real action can be taken to address the potential threat. While these manual processes are taking place, other alerts sit unresolved in the queue and additional alerts continue to roll in.
- Security incidents are becoming more costly, meaning that organizations must find new ways to further reduce the mean time to detection and the mean time to resolution
The cost of the average incident has increased steadily year on year. The immediate cost of an incident due to lost sales, employee time spent, consulting hours, legal fees and lawsuits is relatively easy to quantify. The financial loss due to reputational damage, however, can be much more difficult to accurately measure. Reducing the time to detect and resolve potential security incidents must be an absolute priority. Each hour that a security incident persists is effectively money out of the door.
- Tribal knowledge is inherently difficult to codify, and often leaves the organization with personnel changes
Employee retention is an issue faced by almost every security team. Highly skilled analysts are an extremely valuable resource for which competition is always high. Each time an organization loses a seasoned analyst, some tribal knowledge is lost with them and they are replaced with an analyst who, even if they possess the same technical skills, will lack this tribal knowledge for at least a period of time. Training new analysts takes time, especially when processes are manual and complex. Documenting security processes is a complex, but critical task for all security teams.
- Security operations are inherently difficult to measure and manage effectively
Unlike other business units which may have more concrete methods for measuring the success or failure of a program, security metrics are often much more abstract and subjective. Traditional approaches to measuring return on investment are often not appropriate for security projects and can lead to inaccurate or misleading results. Properly measuring the effectiveness and efficiency of a security product or program requires a measurement process specially designed to meet these unique requirements.
About DFLabs IncMan SOAR
DFLabs is an award-winning and recognized global leader in Security Orchestration, Automation and Response (SOAR) technology. Its pioneering purpose-built platform, IncMan SOAR, enables SOCs, CSIRTs, and MSSPs to automate, orchestrate and measure security operations and incident response processes and tasks. IncMan SOAR drives intelligence-driven command and control of security operations, by orchestrating the full incident response and investigation lifecycle and empowers security analysts, forensic investigators and incident responders to respond to, track, predict and visualize cyber security incidents. As its flagship product, IncMan SOAR has been adopted by Fortune 500 and Global 2000 organizations worldwide.
Schedule a live demo with one of our cyber security specialists here and see DFLabs IncMan SOAR platform in action. For more information on any of these topics, please check out our new whitepaper titled “Security Orchestration, Automation, and Response (SOAR) Technology” here.
Stay tuned for our next blog in this series, where we will discuss the three pillars of SOAR technology.
With a vast range of security technologies, tools and platforms now widely available in the market for security teams, it is ever more complex to decide which tools are best to deploy to suitably defend the organization’s infrastructure.
Within security structures of larger organizations, it is common to have a security information and event management (SIEM) tool in place, alongside or sitting on top of several other systems, but how can it benefit from implementing a Security Orchestration, Automation and Response (SOAR) solution on top of its existing SIEM infrastructure to further manage its security operations and incident response processes and tasks? Let’s find out.
In simple terms, a SIEM collates and analyses the information generated from various sources, identifying issues and raising the initial security alerts. Alert triage is then often carried out by security analysts in a very manual and non-methodical way and subject to mistakes and errors due to the sheer volumes and number of repetitive and mundane actions required, often not being able to fulfill all of them. One of the original core drivers for SIEM technology was to ingest and process large volumes of security events; a function which SIEMs continue to excel at today. However, although some advanced SIEMs have incorporated additional features, such as integration with threat intelligence and other third-party solutions, many SIEMs are still largely focused on data ingestion and presentation.
Another fundamental limitation of many SIEM solutions is that the communication between the SIEM and other third-party products is unidirectional. SIEMs were designed to ingest information, however, support for two-way communication with third-party tools is often limited at best. In most cases, this severely limits a SIEM’s ability to carry out actions beyond the initial alert; this is where a SOAR solution can add significant additional value.
A SOAR solution, on the other hand, is often used in conjunction with a SIEM, however, it is not dependent on having a SIEM in place. A SOAR solution is not intended to be a SIEM replacement, instead, when used in conjunction with a SIEM it is intended to be utilized to help security teams automate and orchestrate actions across their entire portfolio of security products in a bidirectional manner to reduce analyst workload, alert fatigue, time to respond and remediate and reduce overall risk.
Sitting on top of the SIEM, the SOAR solution would orchestrate and automate multiple third-party tools from different vendors, whereas the SIEM would be used to collate and analyze data and generate the alert, which is just the first step of a multistep process. SOAR technology would then be leveraged once the initial security threat had been detected and the security alert generated by the SIEM.
The amount of security events that cybersecurity professionals deal with on a day to day basis can be overwhelming and analysts often have to delve through a deluge of data to find what they are looking for, ultimately preventing them from tackling incidents more efficiently. SIEM tools collect large amounts of information from different areas of the IT framework, but too much information sometimes is just as crippling as not enough information.
A SIEM used in isolation helps to centralize information gathered from various other security tools being used, but it can often lead to an overwhelming amount of information, that then needs to be filtered and correlated to eliminate the false positives to leave only the critical events that need to be acted upon. It can produce a vast quantity of security alerts, leaving security analysts inundated, not knowing which alerts should take priority and be tackled first. This will have a negative impact on the security team, with what is already considered a scarce resource.
Most security teams do not realize the sheer number of alerts that will be received and the resulting alert fatigue until they have deployed a SIEM and a full advanced threat detection architecture. There is a common misconception that a SIEM will reduce the number of incoming alerts by applying correlation rules. However, this is not always the case and correlation rules may only reduce a small percentage of the total number of alerts. Most enterprises will see a clear business need for implementing a SOAR solution to help reduce alert fatigue, orchestrate the organization’s different security tools and automate menial tasks.
Integrating a SIEM with a SOAR solution combines the power of each to create a more robust, efficient and responsive security program. Taking advantage of the SIEM’s ability to ingest large volumes of data and generate alerts, the SOAR solution can be layered on top of the SIEM to manage the incident response process to each alert, automating and orchestrating a number of mundane and repetitive tasks that would take many manual man hours to complete.
SOAR solutions such as IncMan from DFLabs support SIEM integrations and present a comprehensive solution for all organizations that are trying to create a successful and affordable security program, by effectively reducing the noise generated by a high number of alerts and sometimes less than reliable threat intelligence. This can ultimately enable security teams to minimize incident resolution time, maximize analyst efficiency and overall increase handled incidents.
The combined power of a SOAR solution working alongside a SIEM is crucial to ensure that alerts do not go untouched or ignored. More importantly, it ensures all alerts are dealt with in a timely manner and are acted upon following a standard set of consistent and repeatable practices and procedures.
A SIEM is a crucial tool within any security infrastructure, amongst other tools. However, it is critical to keep in mind what a SIEM is designed to achieve, and what gaps may still exist within the security program. The combination of a SIEM and a SOAR solution can transform the security operations and incident response capability and take it from one level to the next, in an intelligent and predetermined manner, so why wait? To learn more about the topic read our new whitepaper “How to Leverage Your Existing SIEM Tool with SOAR Technology”
The increase in the number and complexity of cybersecurity threats and attacks in the last several years is continuing to heavily influence enterprise security decisions. As well as seeing the growing business need, the significant benefit that Security Orchestration, Automation and Response (SOAR) technology can offer security operations and incident response teams is now truly being realized.
The complexity of cyber attacks has increased the need for organizations to share threat intelligence information within different areas of the business, and today may even include external stakeholders such as law enforcement or government agencies, to enable them to detect, contain and mitigate the constant and diverse cyber attacks that are occurring. Choosing the right SOAR tool can bring significant added value to an organization’s security operations, not only in terms of full incident lifecycle automation, (including triage, notification, context enrichment, hunting and investigation, as well as threat containment), but it can also enable incidents to be detected, responded to and mitigated more efficiently than ever before, ultimately becoming a force multiplier, enabling security teams to do more, respond faster, all with less resources.
It is key for any security team to ensure the security tools, technologies and platforms they implement are best suited for their infrastructure, workflows, processes, and procedures. Every set up likely varies from organization to organization. So, what questions should you be asking yourself as a security manager or CISO when it comes to selecting the appropriate SOAR solution? It is important to perform research, evaluate the tools and request a proof of concept before you invest in any SOAR tool. Here, we will cover 5 fundamental areas that should be considered as part of the process.
Human Manual Actions or Machine Automated Actions?
Incident response teams are now in constant defense mode as the number of security alerts being generated is hitting an all-time high. In addition to the increasing and advancing threat challenges, many security teams now face a lack of skilled workforce that can efficiently react, investigate and collect the necessary threat intelligence to properly determine the impact of an attack, then contain and remediate it. It is no secret that there is a lack of skilled cybersecurity professionals in the industry, but this fact is also well known by attackers. A skilled analyst will know exactly what information is needed to assess a situation and quickly eliminate the attack by containing and remediating the threat. Humans, even when very skilled, do have limitations on how fast they can react and access, collect, analyze and correlate information to gather proper threat intelligence.
Therefore, it is important to assess your resources and answer key questions including: Are all your alerts being responded to or are they falling along the wayside? Are analysts overworked and suffering from alert fatigue? Would it be more effective and efficient for them to be working on higher level prioritized tasks, as opposed to basic, mundane, repetitive ones that could potentially be automated? If the answer is yes to any of these questions, then some form of automation would make a significant impact on the operational performance of your security team.
When analyzing a SOAR solution, you should also consider one that enables both human actions and automated machine actions to work hand in hand simultaneously. Dual-action will enable you to automate the menial, repetitive tasks, but also ensure those tasks that need human intervention can also easily be actioned.
Which Existing Software and Solution Integrations Does It Have?
The average security team uses somewhere between 10 to 15 key security tools from third-party security vendors, including tools such as system information and event management (SIEM), intrusion prevention system (IPS), endpoint detection and response (EDR), malware sandboxes and threat intelligence. A SOAR tool should easily integrate with these third-party technologies to provide bi-directional support for a number of different actions to expedite the incident response process. The selected SOAR tool should not only support cybersecurity standards and best practices, but also APIs and interfaces to other tools which would be beneficial. The tool should also support queries into databases to facilitate obtaining enrichment information. Widely used communication methods, such as syslog and email should be supported as they allow the transmission of data from a large number of third-party tools.
It is crucial to evaluate the security tools currently in use and ensure they are capable of being integrated into the SOAR platform, which will ultimately be used to orchestrate and automate these security tools.
Does it Aid Regulatory Compliance?
SOAR vendors that endeavor to ensure their products and solutions follow industry best practices and standards, such as ISO, NIST, CERT, SOA, COBIT, OWASP, MITRE, OASIS, PCI, HIPAA, offer the best products, factoring these into the planning, architecture, design and build development stages.
Vendors which are able to think ahead of the curve and have the ability to cater for a range of industries and their respective compliance, regulations, and standards across worldwide locations offer the best solutions, as large enterprises need to meet their day to day business needs as well as their security needs. One example is the upcoming Global Data Protection Regulation (GDPR) where breach notification is required within 72 hours. Your SOAR solution needs to be able to cater for this need and ensure it can provide a complete and user-friendly incident report as needed for varying levels of stakeholders.
When choosing a SOAR solution, it is important to make a list of all the regulations, standards and best practices that you need to meet and ensure the SOAR provider can address these requirements.
What is the True Cost of the Tool?
The price of SOAR solution can be a significant consideration. Most SOAR products are charged per number of users per license per year, but you need to ensure there are no extra hidden costs associated, especially for those that are complex and may require professional services to be deployed.
Questions that should be asked include:
– Is the deployment and general day to day use for analysts straightforward?
– Are professional services needed to configure and deploy the solution?
– How long does it take to implement and customize the solution?
– Is basic support included in the price?
– Is additional product support maintenance available?
– Does the vendor provide playbooks and runbooks that can be customized?
One factor that is often overlooked is the price to feature ratio. Remember to evaluate which features will actually be needed versus which would be nice to have or simply won’t be utilized. Select a vendor that can offer affordable tools with no hidden costs and are willing to offer a license and maintenance price that works well for your budget and requirements.
What Product Support
As mentioned above, product support often comes at a price, so it is important to establish what support is included in the base price. Being able to obtain a high level of service and support from the SOAR vendor is an important consideration from the perspective of the success of the rollout, assessing the overall cost and day to day maintenance. Some of the questions that should be asked here are:
– What does the basic support package include?
– What is the cost of extended support?
– When is support available?
– Does the vendor have a significant presence in the region of operation? For example, some SOAR vendors are primarily U.S. based, so if an organization is based in EMEA, ASIA or Latin-America, they may not provide the level of support required.
Support costs can significantly drive up the cost of deployment and should be assessed in the early stages of the procurement process as it is important to establish how much can be achieved directly by the security analysts and engineers internally. Security team managers and CISOs have to ultimately measure the increase in performance of security operations and justify the return of investment received.
Overall, deciding whether or not to implement a SOAR solution should come down to the pure facts and figures from analyzing your current security operations performance against a number of KPIs and metrics and identifying the business need for it. Will it solve your common pain points and challenges such as a lack of skilled resources, the increasing number of alerts, etc. In most cases, the answer will be yes!
Weighing up the SOAR solutions out there then becomes the harder challenge. It is worth reviewing Gartner’s approach to SOAR, as well as making a list of requirements that you know must be covered to effectively work within your current and future infrastructure, those that are nice to have and those that are not so important to you. Overall though, the solution needs to be easy to implement, scalable, cost-effective and something that will enhance the overall performance of the security operations, improving the efficiency and effectiveness of the way incidents are managed.
If you would like to see DFLabs’ SOAR solution in action, request a demo of our IncMan SOAR platform today and get your questions answered.