Though the Greek philosopher Heraclitus was the first to remark, “the only thing constant is change,” more than 2,000 years ago, it’s an observation that remains true even in modern times. Anyone versed in the technology industry knows this is the rule rather than the exception; and it is particularly valid in cyber security.
New security technologies are introduced at a near constant pace, and then quickly evolve as users adopt them and share feedback to the companies leading product development. As security automation and orchestration (SA&O) is an emerging category, we’re starting to see an evolution in the functions required as well as the users adopting the technology.
As the name certainly suggests, automation and orchestration were foundational capabilities in SA&O platforms from the beginning. Most security teams have Standard Operating Procedures (SOP) that they typically follow in response to a threat, and the SOPs are normally executed in a manual fashion. SA&O platforms invoke “digital playbooks” to automate Standard Operating Procedures at machine speed.
Playbooks commonly align with the procedures representing the greatest pain points in a SOC; procedures that include extensive manual tasks and require working across multiple products. Common playbook automation examples span investigation, enrichment, containment and remediation:
Alert triage
The objective with alert triage is to validate and prioritize incoming alerts. Procedures focus on triaging inbound alerts involve enriching events with additional context. They may also include logic to eliminate high-confidence false positive alerts from further processing.
Incident response
Incident response procedures can vary greatly depending on the type of incident. For example, responding to a phishing attempt incident is quite different from responding to a successful ransomware attack.
Indicator of Compromise (IOC) hunting
By automating IOC hunting, teams can fully leverage the threat intelligence they receive instead of limiting the IOCs they hunt for due to resource constraints. They might also implement intelligence scoring to assist with deciding which threat intelligence sources to use.
Vulnerability management
Automating the cycle of identifying, classifying, remediating, and mitigating vulnerabilities yields not only greater team efficiency, but also more consistent results by ensuring that the process is performed the same way every time.
Network Access Control (NAC)
SA&O platforms can augment dynamic access control strategies. One example is integrating a detection system that previously was not part of the NAC decision making logic.
User management
Ensuring that users are enabled and disabled accurately, rapidly, and systematically can eliminate the chance that a user account is used maliciously by a threat actor.
Penetration testing
Activities like asset discovery, classification, and target prioritization can be automated, thus increasing the productivity of the pen testing team.
Intelligence sharing
Organizations that have intelligence sharing initiatives can greatly benefit from an automation-assisted playbook. Automation can also increase an analyst’s productivity and provide time-sensitive information back to a community faster than with manual processes.
SA&O platforms also enable users to orchestrate the vast array of security technologies in place at most companies (e.g. firewalls, IDS/IPS, sandboxes, endpoint security agents, ticketing systems, deception technologies, vulnerability scanners, behavioral detection tools, etc.) into a “connective tissue” that works in unison to reduce risk and drive efficiency in the SOC.
Orchestration is important as it directs all activities relating to the Standard Operating Procedures, delivering consistently predictable results and optimal utilization of available resources. The orchestration capability in an SA&O platform typically includes ingestion of data from any source or format, task dispatch and timing, human supervision, data management, and even fault tolerance.
As the SA&O market has evolved, features beyond automation and orchestration have also become important: collaboration, event & case management, plus reporting & metrics.
Many in the industry say, “security is a team sport”, and there is no denying that collaboration is critical to “winning the game”. Analysts collaborate in the SOC to increase situational awareness and drive efficient communications across the team. They typically use capabilities like integrated chat and shared case notes to work an event or incident through to closure. Collaboration is also an area where Artificial Intelligence (AI) shows promise. Many SA&O platforms offer capabilities to help augment the SOC team with helpful suggestions based on AI and related technologies.
Event management is another capability increasing in importance. Analysts need a queue to manage their workload; a dashboard to view events with context on attributes like severity and status. Event management is the first step in the triage process, and the SA&O platform can easily support the analysis of new inbound security events. This enables SOC teams to review event details, enrich events with contextual information, and take action from one integrated interface.
Case management is closely related to event management. Once an event is confirmed to be a legitimate security incident, it can be promoted to a case where a team can drive it through a predefined set of phases and tasks to closure. Though many SOC teams use their own processes, some rely on common frameworks such as the NIST Computer Security Incident Handling Guide (SP-800-61). Case management even provides a path to collaborate with team members from departments other than security as tasks can be assigned to employees in legal, crisis communications, and human resources.
Finally, as security continues to become more and more strategic, it’s important to be able to easily measure the state of security operations, and to drive toward continuous improvement over time. Security automation and orchestration platforms track key metrics like individual analyst performance, team effectiveness, and overall operations efficiency measures like MTTR (Mean Time To Resolve).
As security automation and orchestration (SA&O) platforms gain an increasing foothold in the modern SOC, it’s clear that capabilities beyond automation and orchestration are needed address user requirements. It might be more appropriate to think of this emerging technology as a Security Operations Platform.