Best practice: Security operations automation before orchestration

Based on numerous conversations with CISOs, I’ve learned there is widespread interest in automating and orchestrating security operations. In fact, lots of enterprises are already doing so. According to ESG research, 19 percent of enterprise organizations have already deployed security operations automation/orchestration technologies “extensively,” while another 39 percent of enterprises have done so on a limited basis.

Now, we tend to lump automation and orchestration together, but there are vast differences between the two. In a recent survey on security operations, ESG defined the terms:

Automation refers to using technology to automate some type of security operations task. For example, an organization could create remediation rules by using indicators of compromise (IoCs) found in threat intelligence to generate rules for automatically block malicious IP addresses, web domains, and URLs. Typically, automation refers to a single process or task.

Orchestration refers to the stitching of software and hardware components together in support of some type of multi-phased security analytics or operations process. Orchestration is also associated with the connection and automation of security work flows to deliver a defined service. For example, an organization could orchestrate the workflow associated with a security investigation or patching a software vulnerability. Orchestration is often associated with improving collaboration between individuals or groups (such as the cybersecurity and IT operations groups).

Based upon those definitions, ESG asked survey respondents which was the higher priority — security operations automation or orchestration? The results were clear: Sixty-six percent of survey respondents say automating security analytics and operations is the higher priority, while 31 percent say  orchestrating security analytics and operations is their higher priority. (Note: Three percent said, “don’t know.”)

Why the skew toward automation? Security operations is fraught with countless mundane tasks — fetching data, tweaking device configurations, implementing rules for blocking known bad IoCs, etc. In a recent SOAPA video, ServiceNow’s GM of security, Sean Convery, mentioned that one company he worked with spent about 40 percent of their incident response time just figuring out who owned a particular IP address. Holy cow!

Now, due to the cybersecurity skills shortage, many organizations are understaffed and lack advanced skills in areas, such as security analytics, forensics, IR, etc. Given that, it’s absolutely criminal to ask valuable security professionals to spend their time on mundane tasks that could be automated. CISOs get this, which is driving demand-side activity and supply-side buzz on security operations automation tools.

Security operations orchestration

What about orchestration? Well, in truth, that’s a bit harder. Orchestrating a process means understanding the workflow from end to end, integrating all the data needed to support that process, documenting, managing, and tracking the lifecycle of that process, and supporting all the necessary handoffs from person to person and between security and IT ops teams. 

This assumes that:

1. There is a formal process in place that can then be orchestrated.
2. Someone understands all the steps associated with this process.
3. The process itself is sound.

Unfortunately, these assumptions are often incorrect. Security operations processes are often informal based upon the experience, tool set, and personality of tier-3 analysts. Due to this informality, no one may truly understand all the steps involved.

Finally, security processes have been implemented organically over time, so it’s difficult for organizations to assess whether their security operations processes qualify as best practices or need improvement. As one CISO said to me, “The last thing we want to do is orchestrate a broken process.” 

I have no doubt that security operations automation and orchestration should be a high priority for enterprise organizations, but based upon ESG research and my experience, I strongly suggest that CISOs take a strategic approach here. Take the time to assess how things are done today. Compare notes with other organizations of a similar size and industry. Look for quick automation wins. Start with simple process orchestration to gain expertise with evolving orchestration technologies. Seek out best practices from organizations such as ISO, NIST, SANS, etc. 

As my friend Bruce Schneier says, “Security is a process not a product.” And Bruce couldn’t be more accurate when it comes to security operations. CISOs who take their time and focus on security operations processes will be able to improve security efficacy and operational efficiency. Those who dwell on the product will make marginal progress at best.