What is Security Automation and Orchestration?
As anybody who’s ever configured and monitored a firewall, set up a SIEM programme or spent about 15 seconds in a SOC (Security Operations Centre) will tell you, modern security software generates a LOT of alerts and notifications.
The human analysts you inevitably have monitoring these systems just cannot mathematically or feasibly deal with each one of these alerts as and when they come in, in a methodical and detective-like manner. This is a phenomenon known as alert fatigue.
After a while – you just stop seeing the little details – and this inevitably leads to missing indicators of compromise, and by extension intrusions. An April 2017 study showed when security teams were queried about contending with threat alerts, 79% said they were overwhelmed by the volume.
A human being just is not capable of synthesising the bigger picture out of raw data streams, especially at the level they are produced by modern security solutions. So, what is an enterprise looking to keep their data secure meant to do?
The answer does not lie in just simply hiring more analysts – it lies in organising, streamlining and focusing the outputs of the various security solutions you have, to aid your analysts in doing the job you hired them to do: detect, triage, analyse, prioritise. This is the essence of security orchestration.
How do I start with Security Orchestration?
If you are familiar with multiple security tools firing the constant streams of alerts at your analysts, with no repeatable responses to perform against that data – it is important to review and implement strong processes for them to follow. Once you have control of all your data sources and actionable processes in place – you’re ready to start looking at implementing security orchestration.
Security orchestration advances an organisations ability to respond by co-ordinating the data collection from your security tools e.g. (Firewalls, SIEM, EDR) along with the manual tasks previously set out for your security team, providing a streamlined and more importantly automatable workflow.
Security orchestration encompasses the combination of people, processes and the technology toolset your organisation has at its disposal, in order to improve your ability to react and respond to security threats. However, while this will deliver efficiencies, it this does not on its own solve the problem of alert fatigue.
Transformation and innovation projects will drive increases in levels of data information and will likely (going forward) far outstrip the ability of your team to keep track of each alert to a sustainable level. Hiring a growing team of analysts will help, but you’ll run into the same problem.
Automation comes to the rescue here by automatically performing a lot of repetitive, low-level tasks to free up time and let analysts…analyse!
It is extremely unlikely that most companies have the resources or the skill set to build an in-house security orchestration and automation solution – but thankfully we have automation platforms designed to specifically to orchestrate and automate the ever-increasing events.
Read more about how Exabeam tackles Security Orchestration and Automation (SOAR) here.
At what point do I need to look at investing in security orchestration/automation?
So, let’s say you’re a large organisation that has a small in-house security team, with various technologies monitoring the network perimeter, and an IPS and SIEM solution monitoring the internal network. At this point, they are just about keeping up with the level of alerts. Time-to-resolution is within acceptable bounds – do you need to look at security orchestration and automation?
What about when the business grows – and we start to see inbound traffic increase dramatically? Workloads increase beyond your small team’s ability to catch up, and you don’t have the budget to hire additional analysts – or you do have the budgets, but can’t attract the right calibre of person? Time-to-resolution starts to grow to problematic levels – do you require SOAR now?
The answer in both situations is yes – it would benefit a company that needs to somehow make their small team able to do more work because of the cyber skills gap or lack of budgets. But it would also massively help a company that is managing just fine now, as it would open the door for immense gains in efficiency within the team and potentially free up valuable security budget for other functions.
Chances are that your business falls somewhere between these two examples – and chances are that looking into security orchestration and automation will help make your business more efficient in dealing with threats – and ultimately more secure as a result.
If your company has:
- A team of Security Engineers or Analysts
- Multitude of Security tools generating alerts
- Processes in place for managing alerts, triaging and remediating them
- Struggling to solve for the skills gap, or just doesn’t have the hiring capacity spare
- Analysts are experiencing alert fatigue and signs of exhaustion/burnout
- Time-to-resolution is growing, not dropping;
Then it is a fantastic time to investigate how security orchestration and automation could assist you in spending security budgets more intelligently, help your organisation to be more secure, and provide more time for your security teams to concentrate on the things that matter.
Gains in Human, not just Financial Capital
At this point, you’ve got the idea. Solutions like the ones we’ve been discussing make the job of managing your organisation’s security posture a lot simpler, and free up valuable security budget for other projects or purposes. But there is an additional, less tangible benefit to investing into orchestration and automation – the human factor.
If we are considerate to the increased alert strain and look to free them from repetitive, low-value work – your security analysts gain something far more advantageous in return – time and energy. You can pivot your analysts and engineers to doing more vital investigative work and research to make your security efforts that much more effective, when they’re not wasting time on basic tasks that could really be automated, but without reducing your security posture.
It allows your teams to strengthen their ability to spot patterns and indicators of compromise, and do it faster, with less mundane tasks clogging their workflow. With more time spent actually doing their jobs, team confidence and satisfaction will surely grow, also. Everyone wins, if it’s done right!