Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/15/2017
10:30 AM
Dario Forte
Dario Forte
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Security Orchestration & Automation: Parsing the Options

Once you head down the path of orchestration, security teams will need to decide how much automation they are ready for. Here's how.

Security orchestration is a buzz topic surrounded by a lot of confusion around how to orchestrate, especially when it comes to the role of automation — two terms thrown around interchangeably.

Why is orchestration such a big deal? There are several reasons: The security industry has moved beyond a pure preventative approach. The attack surface is too large, and the threat landscape is evolving too rapidly and growing in complexity and sophistication. Add to that the human element — 43% of data breaches utilize phishing according to Verizon's Data Breach Report 2017 — and it becomes clear that trying to prevent every attack is like playing whack-a-mole.

The new paradigm is detect and respond, which means you must assume that you are already breached. This does not mean that prevention is dead. Rather, combining prevention, detection, and response reduces the time from breach discovery to containment. Prevent what you can; detect and respond to what remains.

Using orchestration, organizations can control and optimize the processes involved in detection and response. For example:

Triage: Orchestration can help evaluate and qualify an incident. Detection technologies are noisy and produce large volumes of alerts and false positives that result in "alert fatigue." You cannot maintain a continuous state of alertness when everything around you is persistently crying wolf.

Correlation & Context: Even if you can identify the alerts that constitute a real threat, you need orchestration to correlate the context from operations. Is the affected asset mission critical, does it store critical data, and does it provide critical access that can be used by an attacker to gain a firmer foothold in your environment?

Process: Incident response is not a one-way event that stops after containment; it is a continuous process that must be orchestrated until the last foothold of the attacker is removed. Even then, the next wave of attack may still come.

Containment: Speed is critical. Ransomware, for instance, does not allow a large window of opportunity, and once that data is encrypted, you will be doing disaster recovery, not incident response. Likewise, if data exfiltration is detected, you need to act now. Any delay means that the threat actor already has taken your intellectual property or customer data. Without orchestration, incident response turns into crisis management.

Next Step: Automation?
Once you head down the path of orchestration, you will then need to decide how much automation you are ready for. While automation is frequently touted as a silver bullet, to successfully orchestrate security operations for detection and incident response, automation introduces a whole new set of organizational challenges. These three security operational phases can help you identify where you are on the orchestration process maturity curve, and guide you to knowing when and how to incorporate automation:

Phase 1: The Playbook. Playbooks outline the steps to successfully respond to an incident, including incident qualification, triage, investigation, containment, notification, and post-hoc analysis. This process is often manual, and maintained via spreadsheets or Microsoft Word documents. If you experience a few incidents a month this will be sufficient. However, if there is a sudden change in circumstances that increases the occurrence of attacks and incidents, a traditional playbook is not scalable for automation.

Phase 2: Tools and Architecture. If your organization has a higher volume of incidents or is maturing its capabilities, a viable option for assessing orchestration capabilities can be found in existing security information and event management tools. SIEMs offer lightweight workflow and automation orchestration capabilities, but they do not necessarily provide the capability to create and maintain flexible and granular playbooks. They do offer a basic workflow to respond to a low volume of incidents. If this is all that you can afford, it is a better option than a completely manual process.

Phase 3: Automation. At the high end of the maturity curve, orchestration can be combined with automation. Automation is a challenging topic because it helps the security team to assess the impact of a threat, but not the impact on the production environment. In addition, automation must be conducted selectively. Tasks such as notifying stakeholders, assigning incidents and enriching data with context can be automated safely and act as a force multiplier and speed up response. But the actual containment of a data breach will frequently require a human in the loop. Bottom line: you can automate the action, but not the decision.

Gartner predicts that by 2019, 30% of large and medium enterprises will be deploying some form of security automation and orchestration capabilities. The question for security teams today is: Where is my organization in the orchestration/automation maturity curve now, and what capabilities will I need in the near future?

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dario Forte started his career in IR as a member of the Italian police, and in that role he worked in the US with well-known government agencies such as NASA. He is one of the co-editors of the most relevant ISO Standard (SC 27) and, as CFE, CISM and CGEIT, he has an MBA from ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kevinluther111
50%
50%
kevinluther111,
User Rank: Apprentice
9/16/2017 | 1:00:06 AM
good
Your blog inspires me every time when I read it. I love reading blogs. I don't excite always by reading blog posts. But in your blog I find something that implies in blogging. Anyway, you're unquestionably a great blogger and you have a skill to make your reader to keep reading your blog again and again. Keep up the magnificent work. Continue moving the people!
Visit : custom essay writing service
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Inside North Korea's Rapid Evolution to Cyber Superpower
Kelly Sheridan, Staff Editor, Dark Reading,  12/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29565
PUBLISHED: 2020-12-04
An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the...
CVE-2020-5675
PUBLISHED: 2020-12-04
Out-of-bounds read issue in GT21 model of GOT2000 series (GT2107-WTBD all versions, GT2107-WTSD all versions, GT2104-RTBD all versions, GT2104-PMBD all versions, and GT2103-PMBD all versions), GS21 model of GOT series (GS2110-WTBD all versions and GS2107-WTBD all versions), and Tension Controller LE...
CVE-2020-29562
PUBLISHED: 2020-12-04
The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2020-28916
PUBLISHED: 2020-12-04
hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
CVE-2020-29561
PUBLISHED: 2020-12-04
An issue was discovered in SonicBOOM riscv-boom 3.0.0. For LR, it does not avoid acquiring a reservation in the case where a load translates successfully but still generates an exception.