Threat Intelligence

6/8/2017
07:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Security Orchestration Fine-Tunes the Incident Response Process

Emerging orchestration technology can cut labor-intensive tasks for security analysts.

The typical large enterprise has dozens of security products and too few security analysts to handle the manual sifting through the haystack for that deadly needle that could be an actual infiltration or imminent attack. It can take a security analyst anywhere from two- to four hours to resolve an incident, according to a recent study by Splunk. By then, an attacker could be burrowed too deep inside to stop the damage.

And then there's the lack of personpower on the security team: new (ISC)2 data projects 1.8 million cybersecurity job vacancies worldwide by 2022, an increase of 20% since 2015.

Enter security orchestration, an emerging technology that integrates various security tools and systems to streamline and better inform the security operation. Orchestration often gets confused or lumped with security automation, which is typically is used for a single task or process, according to the Enterprise Strategy Group (ESG).

Because security orchestration is still a relatively new technology and market, there isn't much data yet, but Jon Oltsik, senior principal analyst with ESG, estimates it's somewhere around $100- to $150 million. According to a recent ESG-DFLabs study, some 90% of organizations plan to deploy, or have already done so, automation and orchestration technologies. More than one-third consider orchestration a priority over automation.

Think of security orchestration as "a layer of connective tissue" that unites security tools, explains industry veteran Oliver Friedrichs, founder & CEO of Phantom, an orchestration startup.

"So if you have a Palo Alto Networks firewall, EDR [endpoint detection and response] from Carbon Black, and threat intel from FarSight, orchestration allows all those to work together. So if you have a threat that Palo Alto sees, you can query it from FarSight, and block the file on Carbon Black," he says. "Today, that's being done manually."

Manually, that is, by security analysts working the monitors of each of those security systems. It can take hours for a security operations center (SOC) staff to spot an incident, and often that's too late to stop exfiltration of data.

The most popular use of the security orchestration so far is for relatively simple and monotonous tasks like investigating phishing attacks, as well as for automating low-level remediation required for things like blocking known malicious command and control IP addresses, for example.

Several startups and acquisitions have arrived in the orchestration space over the past couple of years. Phantom, Demisto, DFLabs, Komand, Swimlane, and IBM Resilient, are among some if the vendors this space, as is FireEye via its Invotas acquisition last year. The newest member of the market is Microsoft, which today announced its plans to buy Hexadite

Orchestration technology is a way to bring together existing and "next-generation" security technologies so they aren't stuck as just stovepipe improvements, notes Ted Julian, vice president of product management at IBM Resilient. "This the most potentially transformative area in the security realm I've seen in the past 12 years. Everything else is incremental."

ESG's Oltsik says orchestration and automation are both hot topics now in security with more funding for startups and enterprises starting to "kick the tires."

"The reason is that CISOs realize that they are just so resource-constrained, and they can't hire their way out of this. If they know what they are doing and need help, they will find some type of intelligence – machine learning or automation and orchestration, or outsource," he says. "Orchestration and automation are so attractive because security people don't like to give up control. This is basically a helper app … It makes sense this is the first thing to do."

How it Works

Security analysts typically manually pull and then cut-and-paste intelligence and information from their various security tools. Orchestration pulls that intel for them, which lets security experts streamline and automate some of the more mundane tasks and have more time for the more involved and serious incidents, experts say.

Jerry Dixon, CISO at security firm CrowdStrike and former US-CERT official, says the technology lets you set up a playbook or more automated and integrated process for handling incidents. "It quickly brings data to the analyst to triage and determine if there's something they need to worry about or not," he says.

Custom Python scripts are the usual fare for streamlining or automating things in a SOC, he says. "The problem with that is when someone moves on to another company you're stuck trying to make all this stuff work. The nice thing about orchestration tools …. Is it allows you to leverage that expertise and set up playbooks," Dixon says.

Shortage and retention of security staff are one of the big drivers behind orchestration. Sandro Bucchianeri, a veteran CISO for a global financial services firm, says he's looking at using orchestration, automation, and machine learning to give his already resource-strapped security team some breathing room.

The firm sees millions of alerts. "Getting these guys to focus on alerts is a massive waste of time because they have to manually do it and vet everything that comes through," which sometimes leaves some alerts on the cutting floor.

Finding and then retaining security people is one of his biggest challenges, he says. "The biggest problem is retaining that talent" after finding and training them, he says. "The next company comes along and offers than $10,000- to $20,000 more, and all that training and legacy knowledge goes [out the door] with it," he says.

Bucchianeri says these issues have driven his firm, the name of which he asked not be published, to start contemplating orchestration for phishing response, reducing false-positives, and automated reporting. "Phishing is the single biggest thing we face, [including] whaling attacks for our execs," he says.

On the business side, security orchestration inherently provides tangible data on time and cost savings that then can be used to justify security budget or purchases, Bucchianeri and other security experts say.

"We know what an analyst costs us," he says.  If security orchestration can save four house of labor a day, that's a quantifiable piece of information that translates to upper management, he notes.

IBM's Julian echoes that. "Having a conversation grounded in business terms puts you in a better position to advocate for what you want to do," Julian says.

How to Orchestrate

Before installing orchestration software or services, be sure the process you're orchestrating is well-understood, notes IBM Resilient's Julian. "We think everyone should start with orchestration if only to validate a process," he says. It gets the organization a consistent, repeatable process in place.

The danger of deploying orchestration without proper planning and preparation is that you could merely automate a lousy process rather than improve and streamline one. "It doesn't make sense to orchestrate a bad process. That's one of the things that holds up or slows people down" from rolling out orchestration, Oltsik warns.

Like many security operations, people and process also need to be considered and synced. Gary Ruiz, senior manager of cybersecurity at Rackspace, says it's important to communicate and work closely with security analysts when setting up orchestration operations.

"Everybody is used to doing this manually," so training security teams and reassuring them that this will help and not necessarily replace them can be challenging, says Ruiz, whose company is test-driving Phantom's orchestration system for phishing attack response.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
6/12/2017 | 11:56:38 AM
Re: OpenC2 is a rather glaring omission from this article
The OASIS TC Inaugural Meeting will be an important step in seeing OpenC2 move forward and appear in more articles like those found here on DR.  As a longtime FOSS user and occasional developer, the potential for OpenC2 appears solid.  I think when more projects start appearing with POC setups that include pentesting kits like BackBox on one end, and OpenC2 with various security tools on the other, we can really start pointing to OpenC2 as the future of security automation management. 

The problem I have with massive commercial systems is the lack of availability to lab testers and FOSS developers to really put them to task and see what they can do.  Too many of these expensive "Enterprise" systems come at such expense and require massive resources to properly deploy; not to mention the amount of time needed to even see results that might reflect well on what the product offers.  OpenC2 represents hope to move in the other direction.

Appreciate you dropping this reference.  And, I was checking out CybOX before it integrated with STIX, and that's how I first heard about OpenC2 when papers started popping up talking about CybOX and STIX in relation to OpenC2.  Anyone with awareness of this whole body of code should be looking at OpenC2 closely over the next year...
treyka
100%
0%
treyka,
User Rank: Apprentice
6/12/2017 | 9:19:32 AM
OpenC2 is a rather glaring omission from this article
While a well-written article, the failure to mention the work of the OpenC2 consortium developing a vendor-neutral standard for the mitigating actions and playbooks that drive security orchestration was surely an oversight.

The OpenC2 work represents a long-standing collaboration by a large number of vendors, enterprises, government agencies, and academic institutions. This effort has reached a sufficient level of maturity that the consortium recently moved their work into an OASIS technical committee in order to promulgate an official open standard to accelerate security automation in an interoperable fashion.

Because DarkReading's comment system doesn't allow urls in comments, herewith useful references:

* openc2[dot]org

* www[dot]oasis-open[dot]org/apps/org/workgroup/openc2/#overview
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.