It is always interesting to attend a CISO roundtable. Cybersecurity discussions provide the opportunity to learn, experience thought-provoking scenarios and share our problems and triumphs. I recently attended a roundtable that focused on security automation and orchestration. When the question of the difference between the two was posed, no one could provide a concrete answer. The best answer that anyone could offer was that "orchestration" is just a fancier synonym for "automation." Both terms are currently being used quite a bit and almost interchangeably, but they are not synonyms.
To learn more about how most people are defining the terms "security orchestration," "security workflow" and "security automation" in the real world, I decided to conduct a bit of research. I made a lot of phone calls and sent many emails to colleagues, prospects and customers asking them to interpret the terms. I also read everything I could find on the subject. Here is what the research revealed.
- Among the prospects and customers, no one could see any clear difference. Although they all understood the value that security products are supposed to deliver, the ill-defined buzzwords and the crowded market have combined to generate a great deal of confusion.
- Customers have different wishes or requirements, but many of the requirements are the same ones that have been encountered before.
Requirement: Process Workflow
Customers expressed a desire for order when problems needed to be solved. By order, they meant predictable, repeatable and consistent results. They want a system that allows them to see their processes documented as well as tracked, but this is more about playbooks than integration with security tools.
Automation includes both task automation and playbook automation. Task automation is primarily about managing alerts, especially responding to false alarms and routine tasks. Playbook automation concerns dealing with alerts in a logical sequence through task automation. For example, in a phishing attack, triage might include performing a reputation check on the IP across the different feeds or hunting for malicious IPs throughout the environment.
Thus far in this post, the discussion has been focused on workflow and automation. When these steps are woven into a solution that includes human analysts, you have security orchestration. Unfortunately, few vendors have been able to offer a solution that will encompass enough of the SOC's duties to qualify as orchestration.
Security automation involves four crucial steps. Assume you are conducting a ransomware investigation resulting from a malware alert or an employee's notification. The steps would be as follows.
- Automate the enrichment concerning the user reporting the issue or the compromised system by using asset databases, the active directory and similar sources. The automated tasks may include searching for bad attachments, bad URLs and/or bad IPs. If these searches were negative, the user might receive an email response, the ticket would be updated and the incident closed. However, if the searches were positive, the incident severity would be elevated, the user would be notified and an analyst would review the incident and conduct an appropriate investigation.
- Take action based on the analyst's investigation. The analyst might arrive at a quick resolution or need to consult with others. Once the analyst has made a decision, the task can be marked as complete or referred to another analyst for additional action.
- Automated collaboration allows assigning a task to another analyst and setting the due date. The playbook continues once that is completed.
- Playbook automation resumes, starting the series of tasks that will contain the incident or perhaps retrieve more data.
The second and third steps may be repeated several times. However, the key point to remember is that human tasks are interwoven so that all actions work together seamlessly. When human intervention is combined with automated tasks, playbooks featuring complicated logic and the ability to manage and track the tasks that have been assigned to analysts, the result is security orchestration.
Make Music with Demisto
Demisto offers the first comprehensive platform to integrate true security orchestration and threat intelligence. Automated playbooks, real-time threat management and extensive incident management are just some of the capabilities provided. Bi-directional integrations, evidentiary support, collaborative chat rooms and automated documentation help you streamline your operations, allowing you to keep your organization more secure with less effort. Contact us today to learn more.