Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

07:40 PM
Connect Directly

Security Orchestration Fine-Tunes the Incident Response Process

Emerging orchestration technology can cut labor-intensive tasks for security analysts.

The typical large enterprise has dozens of security products and too few security analysts to handle the manual sifting through the haystack for that deadly needle that could be an actual infiltration or imminent attack. It can take a security analyst anywhere from two- to four hours to resolve an incident, according to a recent study by Splunk. By then, an attacker could be burrowed too deep inside to stop the damage.

And then there's the lack of personpower on the security team: new (ISC)2 data projects 1.8 million cybersecurity job vacancies worldwide by 2022, an increase of 20% since 2015.

Enter security orchestration, an emerging technology that integrates various security tools and systems to streamline and better inform the security operation. Orchestration often gets confused or lumped with security automation, which is typically is used for a single task or process, according to the Enterprise Strategy Group (ESG).

Because security orchestration is still a relatively new technology and market, there isn't much data yet, but Jon Oltsik, senior principal analyst with ESG, estimates it's somewhere around $100- to $150 million. According to a recent ESG-DFLabs study, some 90% of organizations plan to deploy, or have already done so, automation and orchestration technologies. More than one-third consider orchestration a priority over automation.

Think of security orchestration as "a layer of connective tissue" that unites security tools, explains industry veteran Oliver Friedrichs, founder & CEO of Phantom, an orchestration startup.

"So if you have a Palo Alto Networks firewall, EDR [endpoint detection and response] from Carbon Black, and threat intel from FarSight, orchestration allows all those to work together. So if you have a threat that Palo Alto sees, you can query it from FarSight, and block the file on Carbon Black," he says. "Today, that's being done manually."

Manually, that is, by security analysts working the monitors of each of those security systems. It can take hours for a security operations center (SOC) staff to spot an incident, and often that's too late to stop exfiltration of data.

The most popular use of the security orchestration so far is for relatively simple and monotonous tasks like investigating phishing attacks, as well as for automating low-level remediation required for things like blocking known malicious command and control IP addresses, for example.

Several startups and acquisitions have arrived in the orchestration space over the past couple of years. Phantom, Demisto, DFLabs, Komand, Swimlane, and IBM Resilient, are among some if the vendors this space, as is FireEye via its Invotas acquisition last year. The newest member of the market is Microsoft, which today announced its plans to buy Hexadite

Orchestration technology is a way to bring together existing and "next-generation" security technologies so they aren't stuck as just stovepipe improvements, notes Ted Julian, vice president of product management at IBM Resilient. "This the most potentially transformative area in the security realm I've seen in the past 12 years. Everything else is incremental."

ESG's Oltsik says orchestration and automation are both hot topics now in security with more funding for startups and enterprises starting to "kick the tires."

"The reason is that CISOs realize that they are just so resource-constrained, and they can't hire their way out of this. If they know what they are doing and need help, they will find some type of intelligence – machine learning or automation and orchestration, or outsource," he says. "Orchestration and automation are so attractive because security people don't like to give up control. This is basically a helper app … It makes sense this is the first thing to do."

How it Works

Security analysts typically manually pull and then cut-and-paste intelligence and information from their various security tools. Orchestration pulls that intel for them, which lets security experts streamline and automate some of the more mundane tasks and have more time for the more involved and serious incidents, experts say.

Jerry Dixon, CISO at security firm CrowdStrike and former US-CERT official, says the technology lets you set up a playbook or more automated and integrated process for handling incidents. "It quickly brings data to the analyst to triage and determine if there's something they need to worry about or not," he says.

Custom Python scripts are the usual fare for streamlining or automating things in a SOC, he says. "The problem with that is when someone moves on to another company you're stuck trying to make all this stuff work. The nice thing about orchestration tools …. Is it allows you to leverage that expertise and set up playbooks," Dixon says.

Shortage and retention of security staff are one of the big drivers behind orchestration. Sandro Bucchianeri, a veteran CISO for a global financial services firm, says he's looking at using orchestration, automation, and machine learning to give his already resource-strapped security team some breathing room.

The firm sees millions of alerts. "Getting these guys to focus on alerts is a massive waste of time because they have to manually do it and vet everything that comes through," which sometimes leaves some alerts on the cutting floor.

Finding and then retaining security people is one of his biggest challenges, he says. "The biggest problem is retaining that talent" after finding and training them, he says. "The next company comes along and offers than $10,000- to $20,000 more, and all that training and legacy knowledge goes [out the door] with it," he says.

Bucchianeri says these issues have driven his firm, the name of which he asked not be published, to start contemplating orchestration for phishing response, reducing false-positives, and automated reporting. "Phishing is the single biggest thing we face, [including] whaling attacks for our execs," he says.

On the business side, security orchestration inherently provides tangible data on time and cost savings that then can be used to justify security budget or purchases, Bucchianeri and other security experts say.

"We know what an analyst costs us," he says.  If security orchestration can save four house of labor a day, that's a quantifiable piece of information that translates to upper management, he notes.

IBM's Julian echoes that. "Having a conversation grounded in business terms puts you in a better position to advocate for what you want to do," Julian says.

How to Orchestrate

Before installing orchestration software or services, be sure the process you're orchestrating is well-understood, notes IBM Resilient's Julian. "We think everyone should start with orchestration if only to validate a process," he says. It gets the organization a consistent, repeatable process in place.

The danger of deploying orchestration without proper planning and preparation is that you could merely automate a lousy process rather than improve and streamline one. "It doesn't make sense to orchestrate a bad process. That's one of the things that holds up or slows people down" from rolling out orchestration, Oltsik warns.

Like many security operations, people and process also need to be considered and synced. Gary Ruiz, senior manager of cybersecurity at Rackspace, says it's important to communicate and work closely with security analysts when setting up orchestration operations.

"Everybody is used to doing this manually," so training security teams and reassuring them that this will help and not necessarily replace them can be challenging, says Ruiz, whose company is test-driving Phantom's orchestration system for phishing attack response.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/12/2017 | 11:56:38 AM
Re: OpenC2 is a rather glaring omission from this article
The OASIS TC Inaugural Meeting will be an important step in seeing OpenC2 move forward and appear in more articles like those found here on DR.  As a longtime FOSS user and occasional developer, the potential for OpenC2 appears solid.  I think when more projects start appearing with POC setups that include pentesting kits like BackBox on one end, and OpenC2 with various security tools on the other, we can really start pointing to OpenC2 as the future of security automation management. 

The problem I have with massive commercial systems is the lack of availability to lab testers and FOSS developers to really put them to task and see what they can do.  Too many of these expensive "Enterprise" systems come at such expense and require massive resources to properly deploy; not to mention the amount of time needed to even see results that might reflect well on what the product offers.  OpenC2 represents hope to move in the other direction.

Appreciate you dropping this reference.  And, I was checking out CybOX before it integrated with STIX, and that's how I first heard about OpenC2 when papers started popping up talking about CybOX and STIX in relation to OpenC2.  Anyone with awareness of this whole body of code should be looking at OpenC2 closely over the next year...
User Rank: Apprentice
6/12/2017 | 9:19:32 AM
OpenC2 is a rather glaring omission from this article
While a well-written article, the failure to mention the work of the OpenC2 consortium developing a vendor-neutral standard for the mitigating actions and playbooks that drive security orchestration was surely an oversight.

The OpenC2 work represents a long-standing collaboration by a large number of vendors, enterprises, government agencies, and academic institutions. This effort has reached a sufficient level of maturity that the consortium recently moved their work into an OASIS technical committee in order to promulgate an official open standard to accelerate security automation in an interoperable fashion.

Because DarkReading's comment system doesn't allow urls in comments, herewith useful references:

* openc2[dot]org

* www[dot]oasis-open[dot]org/apps/org/workgroup/openc2/#overview
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
PUBLISHED: 2021-04-15
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
PUBLISHED: 2021-04-15
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...