Security Orchestration Fine-Tunes the Incident Response Process

  /     /     /  
Publicated : 22/11/2024   Category : security


Security Orchestration Fine-Tunes the Incident Response Process


Emerging orchestration technology can cut labor-intensive tasks for security analysts.



The typical large enterprise has dozens of security products and too few security analysts to handle the manual sifting through the haystack for that deadly needle that could be an actual infiltration or imminent attack. It can take a security analyst anywhere from two- to four hours to resolve an incident, according to a recent study by Splunk. By then, an attacker could be burrowed too deep inside to stop the damage.
And then theres the lack of personpower on the security team: new (ISC)2 data projects 1.8 million cybersecurity job vacancies worldwide by 2022, an increase of 20% since 2015.
Enter security orchestration, an emerging technology that integrates various security tools and systems to streamline and better inform the security operation. Orchestration often gets confused or lumped with security automation, which is typically is used for a single task or process, according to the Enterprise Strategy Group (ESG).
Because security orchestration is still a relatively new technology and market, there isnt much data yet, but Jon Oltsik, senior principal analyst with ESG, estimates its somewhere around $100- to $150 million. According to a recent ESG-DFLabs study, some 90% of organizations plan to deploy, or have already done so, automation and orchestration technologies. More than one-third consider orchestration a priority over automation.
Think of security orchestration as a layer of connective tissue that unites security tools, explains industry veteran Oliver Friedrichs, founder & CEO of Phantom, an orchestration startup.
So if you have a Palo Alto Networks firewall, EDR [endpoint detection and response] from Carbon Black, and threat intel from FarSight, orchestration allows all those to work together. So if you have a threat that Palo Alto sees, you can query it from FarSight, and block the file on Carbon Black, he says. Today, thats being done manually.
Manually, that is, by security analysts working the monitors of each of those security systems. It can take hours for a security operations center (SOC) staff to spot an incident, and often thats too late to stop exfiltration of data.
The most popular use of the security orchestration so far is for relatively simple and monotonous tasks like investigating phishing attacks, as well as for automating low-level remediation required for things like blocking known malicious command and control IP addresses, for example.
Several startups and acquisitions have arrived in the orchestration space over the past couple of years. Phantom, Demisto, DFLabs, Komand, Swimlane, and IBM Resilient, are among some if the vendors this space, as is FireEye via its Invotas acquisition last year. The newest member of the market is Microsoft, which today announced
its plans to buy Hexadite

Orchestration technology is a way to bring together existing and next-generation security technologies so they arent stuck as just stovepipe improvements, notes Ted Julian, vice president of product management at IBM Resilient. This the most potentially transformative area in the security realm Ive seen in the past 12 years. Everything else is incremental.
ESGs Oltsik says orchestration and automation are both hot topics now in security with more funding for startups and enterprises starting to kick the tires.
The reason is that CISOs realize that they are just so resource-constrained, and they cant hire their way out of this. If they know what they are doing and need help, they will find some type of intelligence – machine learning or automation and orchestration, or outsource, he says. Orchestration and automation are so attractive because security people dont like to give up control. This is basically a helper app … It makes sense this is the first thing to do.
How it Works
Security analysts typically manually pull and then cut-and-paste intelligence and information from their various security tools. Orchestration pulls that intel for them, which lets security experts streamline and automate some of the more mundane tasks and have more time for the more involved and serious incidents, experts say.
Jerry Dixon, CISO at security firm CrowdStrike and former US-CERT official, says the technology lets you set up a playbook or more automated and integrated process for handling incidents. It quickly brings data to the analyst to triage and determine if theres something they need to worry about or not, he says.
Custom Python scripts are the usual fare for streamlining or automating things in a SOC, he says. The problem with that is when someone moves on to another company youre stuck trying to make all this stuff work. The nice thing about orchestration tools …. Is it allows you to leverage that expertise and set up playbooks, Dixon says.
Shortage and retention of security staff are one of the big drivers behind orchestration. Sandro Bucchianeri, a veteran CISO for a global financial services firm, says hes looking at using orchestration, automation, and machine learning to give his already resource-strapped security team some breathing room.
The firm sees millions of alerts. Getting these guys to focus on alerts is a massive waste of time because they have to manually do it and vet everything that comes through, which sometimes leaves some alerts on the cutting floor.
Finding and then retaining security people is one of his biggest challenges, he says. The biggest problem is retaining that talent after finding and training them, he says. The next company comes along and offers than $10,000- to $20,000 more, and all that training and legacy knowledge goes [out the door] with it, he says.
Bucchianeri says these issues have driven his firm, the name of which he asked not be published, to start contemplating orchestration for phishing response, reducing false-positives, and automated reporting. Phishing is the single biggest thing we face, [including] whaling attacks for our execs, he says.
On the business side, security orchestration inherently provides tangible data on time and cost savings that then can be used to justify security budget or purchases, Bucchianeri and other security experts say.
We know what an analyst costs us, he says.  If security orchestration can save four house of labor a day, thats a quantifiable piece of information that translates to upper management, he notes.
IBMs Julian echoes that. Having a conversation grounded in business terms puts you in a better position to advocate for what you want to do, Julian says.
How to Orchestrate
Before installing orchestration software or services, be sure the process youre orchestrating is well-understood, notes IBM Resilients Julian. We think everyone should start with orchestration if only to validate a process, he says. It gets the organization a consistent, repeatable process in place.
The danger of deploying orchestration without proper planning and preparation is that you could merely automate a lousy process rather than improve and streamline one. It doesnt make sense to orchestrate a bad process. Thats one of the things that holds up or slows people down from rolling out orchestration, Oltsik warns.
Like many security operations, people and process also need to be considered and synced. Gary Ruiz, senior manager of cybersecurity at Rackspace, says its important to communicate and work closely with security analysts when setting up orchestration operations.
Everybody is used to doing this manually, so training security teams and reassuring them that this will help and not necessarily replace them can be challenging, says Ruiz, whose company is test-driving Phantoms orchestration system for phishing attack response.
Related Content:
How to Succeed at Incident Response Metrics
20 Cybersecurity Startups To Watch In 2017
Kevin Durant Effect: What Skilled Cybersecurity Pros Want

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Security Orchestration Fine-Tunes the Incident Response Process