Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/15/2017
10:30 AM
Dario Forte
Dario Forte
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Security Orchestration & Automation: Parsing the Options

Once you head down the path of orchestration, security teams will need to decide how much automation they are ready for. Here's how.

Security orchestration is a buzz topic surrounded by a lot of confusion around how to orchestrate, especially when it comes to the role of automation — two terms thrown around interchangeably.

Why is orchestration such a big deal? There are several reasons: The security industry has moved beyond a pure preventative approach. The attack surface is too large, and the threat landscape is evolving too rapidly and growing in complexity and sophistication. Add to that the human element — 43% of data breaches utilize phishing according to Verizon's Data Breach Report 2017 — and it becomes clear that trying to prevent every attack is like playing whack-a-mole.

The new paradigm is detect and respond, which means you must assume that you are already breached. This does not mean that prevention is dead. Rather, combining prevention, detection, and response reduces the time from breach discovery to containment. Prevent what you can; detect and respond to what remains.

Using orchestration, organizations can control and optimize the processes involved in detection and response. For example:

Triage: Orchestration can help evaluate and qualify an incident. Detection technologies are noisy and produce large volumes of alerts and false positives that result in "alert fatigue." You cannot maintain a continuous state of alertness when everything around you is persistently crying wolf.

Correlation & Context: Even if you can identify the alerts that constitute a real threat, you need orchestration to correlate the context from operations. Is the affected asset mission critical, does it store critical data, and does it provide critical access that can be used by an attacker to gain a firmer foothold in your environment?

Process: Incident response is not a one-way event that stops after containment; it is a continuous process that must be orchestrated until the last foothold of the attacker is removed. Even then, the next wave of attack may still come.

Containment: Speed is critical. Ransomware, for instance, does not allow a large window of opportunity, and once that data is encrypted, you will be doing disaster recovery, not incident response. Likewise, if data exfiltration is detected, you need to act now. Any delay means that the threat actor already has taken your intellectual property or customer data. Without orchestration, incident response turns into crisis management.

Next Step: Automation?
Once you head down the path of orchestration, you will then need to decide how much automation you are ready for. While automation is frequently touted as a silver bullet, to successfully orchestrate security operations for detection and incident response, automation introduces a whole new set of organizational challenges. These three security operational phases can help you identify where you are on the orchestration process maturity curve, and guide you to knowing when and how to incorporate automation:

Phase 1: The Playbook. Playbooks outline the steps to successfully respond to an incident, including incident qualification, triage, investigation, containment, notification, and post-hoc analysis. This process is often manual, and maintained via spreadsheets or Microsoft Word documents. If you experience a few incidents a month this will be sufficient. However, if there is a sudden change in circumstances that increases the occurrence of attacks and incidents, a traditional playbook is not scalable for automation.

Phase 2: Tools and Architecture. If your organization has a higher volume of incidents or is maturing its capabilities, a viable option for assessing orchestration capabilities can be found in existing security information and event management tools. SIEMs offer lightweight workflow and automation orchestration capabilities, but they do not necessarily provide the capability to create and maintain flexible and granular playbooks. They do offer a basic workflow to respond to a low volume of incidents. If this is all that you can afford, it is a better option than a completely manual process.

Phase 3: Automation. At the high end of the maturity curve, orchestration can be combined with automation. Automation is a challenging topic because it helps the security team to assess the impact of a threat, but not the impact on the production environment. In addition, automation must be conducted selectively. Tasks such as notifying stakeholders, assigning incidents and enriching data with context can be automated safely and act as a force multiplier and speed up response. But the actual containment of a data breach will frequently require a human in the loop. Bottom line: you can automate the action, but not the decision.

Gartner predicts that by 2019, 30% of large and medium enterprises will be deploying some form of security automation and orchestration capabilities. The question for security teams today is: Where is my organization in the orchestration/automation maturity curve now, and what capabilities will I need in the near future?

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dario Forte started his career in IR as a member of the Italian police, and in that role he worked in the US with well-known government agencies such as NASA. He is one of the co-editors of the most relevant ISO Standard (SC 27) and, as CFE, CISM and CGEIT, he has an MBA from ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kevinluther111
50%
50%
kevinluther111,
User Rank: Apprentice
9/16/2017 | 1:00:06 AM
good
Your blog inspires me every time when I read it. I love reading blogs. I don't excite always by reading blog posts. But in your blog I find something that implies in blogging. Anyway, you're unquestionably a great blogger and you have a skill to make your reader to keep reading your blog again and again. Keep up the magnificent work. Continue moving the people!
Visit : custom essay writing service
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12216
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a heap-based buffer overflow in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c.
CVE-2019-12217
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL stdio_read function in file/SDL_rwops.c.
CVE-2019-12218
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c.
CVE-2019-12219
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an invalid free error in the SDL function SDL_SetError_REAL at SDL_error.c.
CVE-2019-12220
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an out-of-bounds read in the SDL function SDL_FreePalette_REAL at video/SDL_pixels.c.