Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

07:40 PM
Connect Directly

Security Orchestration Fine-Tunes the Incident Response Process

Emerging orchestration technology can cut labor-intensive tasks for security analysts.

The typical large enterprise has dozens of security products and too few security analysts to handle the manual sifting through the haystack for that deadly needle that could be an actual infiltration or imminent attack. It can take a security analyst anywhere from two- to four hours to resolve an incident, according to a recent study by Splunk. By then, an attacker could be burrowed too deep inside to stop the damage.

And then there's the lack of personpower on the security team: new (ISC)2 data projects 1.8 million cybersecurity job vacancies worldwide by 2022, an increase of 20% since 2015.

Enter security orchestration, an emerging technology that integrates various security tools and systems to streamline and better inform the security operation. Orchestration often gets confused or lumped with security automation, which is typically is used for a single task or process, according to the Enterprise Strategy Group (ESG).

Because security orchestration is still a relatively new technology and market, there isn't much data yet, but Jon Oltsik, senior principal analyst with ESG, estimates it's somewhere around $100- to $150 million. According to a recent ESG-DFLabs study, some 90% of organizations plan to deploy, or have already done so, automation and orchestration technologies. More than one-third consider orchestration a priority over automation.

Think of security orchestration as "a layer of connective tissue" that unites security tools, explains industry veteran Oliver Friedrichs, founder & CEO of Phantom, an orchestration startup.

"So if you have a Palo Alto Networks firewall, EDR [endpoint detection and response] from Carbon Black, and threat intel from FarSight, orchestration allows all those to work together. So if you have a threat that Palo Alto sees, you can query it from FarSight, and block the file on Carbon Black," he says. "Today, that's being done manually."

Manually, that is, by security analysts working the monitors of each of those security systems. It can take hours for a security operations center (SOC) staff to spot an incident, and often that's too late to stop exfiltration of data.

The most popular use of the security orchestration so far is for relatively simple and monotonous tasks like investigating phishing attacks, as well as for automating low-level remediation required for things like blocking known malicious command and control IP addresses, for example.

Several startups and acquisitions have arrived in the orchestration space over the past couple of years. Phantom, Demisto, DFLabs, Komand, Swimlane, and IBM Resilient, are among some if the vendors this space, as is FireEye via its Invotas acquisition last year. The newest member of the market is Microsoft, which today announced its plans to buy Hexadite

Orchestration technology is a way to bring together existing and "next-generation" security technologies so they aren't stuck as just stovepipe improvements, notes Ted Julian, vice president of product management at IBM Resilient. "This the most potentially transformative area in the security realm I've seen in the past 12 years. Everything else is incremental."

ESG's Oltsik says orchestration and automation are both hot topics now in security with more funding for startups and enterprises starting to "kick the tires."

"The reason is that CISOs realize that they are just so resource-constrained, and they can't hire their way out of this. If they know what they are doing and need help, they will find some type of intelligence – machine learning or automation and orchestration, or outsource," he says. "Orchestration and automation are so attractive because security people don't like to give up control. This is basically a helper app … It makes sense this is the first thing to do."

How it Works

Security analysts typically manually pull and then cut-and-paste intelligence and information from their various security tools. Orchestration pulls that intel for them, which lets security experts streamline and automate some of the more mundane tasks and have more time for the more involved and serious incidents, experts say.

Jerry Dixon, CISO at security firm CrowdStrike and former US-CERT official, says the technology lets you set up a playbook or more automated and integrated process for handling incidents. "It quickly brings data to the analyst to triage and determine if there's something they need to worry about or not," he says.

Custom Python scripts are the usual fare for streamlining or automating things in a SOC, he says. "The problem with that is when someone moves on to another company you're stuck trying to make all this stuff work. The nice thing about orchestration tools …. Is it allows you to leverage that expertise and set up playbooks," Dixon says.

Shortage and retention of security staff are one of the big drivers behind orchestration. Sandro Bucchianeri, a veteran CISO for a global financial services firm, says he's looking at using orchestration, automation, and machine learning to give his already resource-strapped security team some breathing room.

The firm sees millions of alerts. "Getting these guys to focus on alerts is a massive waste of time because they have to manually do it and vet everything that comes through," which sometimes leaves some alerts on the cutting floor.

Finding and then retaining security people is one of his biggest challenges, he says. "The biggest problem is retaining that talent" after finding and training them, he says. "The next company comes along and offers than $10,000- to $20,000 more, and all that training and legacy knowledge goes [out the door] with it," he says.

Bucchianeri says these issues have driven his firm, the name of which he asked not be published, to start contemplating orchestration for phishing response, reducing false-positives, and automated reporting. "Phishing is the single biggest thing we face, [including] whaling attacks for our execs," he says.

On the business side, security orchestration inherently provides tangible data on time and cost savings that then can be used to justify security budget or purchases, Bucchianeri and other security experts say.

"We know what an analyst costs us," he says.  If security orchestration can save four house of labor a day, that's a quantifiable piece of information that translates to upper management, he notes.

IBM's Julian echoes that. "Having a conversation grounded in business terms puts you in a better position to advocate for what you want to do," Julian says.

How to Orchestrate

Before installing orchestration software or services, be sure the process you're orchestrating is well-understood, notes IBM Resilient's Julian. "We think everyone should start with orchestration if only to validate a process," he says. It gets the organization a consistent, repeatable process in place.

The danger of deploying orchestration without proper planning and preparation is that you could merely automate a lousy process rather than improve and streamline one. "It doesn't make sense to orchestrate a bad process. That's one of the things that holds up or slows people down" from rolling out orchestration, Oltsik warns.

Like many security operations, people and process also need to be considered and synced. Gary Ruiz, senior manager of cybersecurity at Rackspace, says it's important to communicate and work closely with security analysts when setting up orchestration operations.

"Everybody is used to doing this manually," so training security teams and reassuring them that this will help and not necessarily replace them can be challenging, says Ruiz, whose company is test-driving Phantom's orchestration system for phishing attack response.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/12/2017 | 11:56:38 AM
Re: OpenC2 is a rather glaring omission from this article
The OASIS TC Inaugural Meeting will be an important step in seeing OpenC2 move forward and appear in more articles like those found here on DR.  As a longtime FOSS user and occasional developer, the potential for OpenC2 appears solid.  I think when more projects start appearing with POC setups that include pentesting kits like BackBox on one end, and OpenC2 with various security tools on the other, we can really start pointing to OpenC2 as the future of security automation management. 

The problem I have with massive commercial systems is the lack of availability to lab testers and FOSS developers to really put them to task and see what they can do.  Too many of these expensive "Enterprise" systems come at such expense and require massive resources to properly deploy; not to mention the amount of time needed to even see results that might reflect well on what the product offers.  OpenC2 represents hope to move in the other direction.

Appreciate you dropping this reference.  And, I was checking out CybOX before it integrated with STIX, and that's how I first heard about OpenC2 when papers started popping up talking about CybOX and STIX in relation to OpenC2.  Anyone with awareness of this whole body of code should be looking at OpenC2 closely over the next year...
User Rank: Apprentice
6/12/2017 | 9:19:32 AM
OpenC2 is a rather glaring omission from this article
While a well-written article, the failure to mention the work of the OpenC2 consortium developing a vendor-neutral standard for the mitigating actions and playbooks that drive security orchestration was surely an oversight.

The OpenC2 work represents a long-standing collaboration by a large number of vendors, enterprises, government agencies, and academic institutions. This effort has reached a sufficient level of maturity that the consortium recently moved their work into an OASIS technical committee in order to promulgate an official open standard to accelerate security automation in an interoperable fashion.

Because DarkReading's comment system doesn't allow urls in comments, herewith useful references:

* openc2[dot]org

* www[dot]oasis-open[dot]org/apps/org/workgroup/openc2/#overview
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...