IT Focus Area: Security
December 1, 2017
Enhancing Security with Automation and Orchestration
Enterprise data breaches continue to increase at an alarming pace. Organizations have too many alerts, too many technologies and not enough people. Security teams are overwhelmed, and it has become clear that traditional controls are no longer enough to keep data safe. To address this issue, many companies are fortifying their cybersecurity strategies with automation and orchestration.
Security automation and orchestration technology can help to achieve the following:
• Raise the productivity of security engineers
• Minimize the mean time to resolution (MTTR)
• Integrate the products required to defend against agile threats
Security automation has become a specific domain in the last four to five years. It focuses on security operations centers (SOCs) and accelerating the ability of analysts to disposition alerts and start remediation. For this reason, it is becoming a powerful component of security and incident response.
Bad Data Equals Bad Decisions
Automation and orchestration technology helps to tackle the mundane; picking up and enriching alerts. But it’s starting to evolve towards enhancing threat intelligence to enable better inferences about the right decision in a particular scenario and the best action to take. Rather than just pulling together and presenting data, it’s adding a brain — applying AI and machine learning to enable analysts to make better decisions from better data. An analogy from daily life is when you’re deciding what to wear; you check the weather, and choose your clothes based on the meteorologist’s predictions.
Choosing a Solution
There is confusion in the space. Companies looking for solutions are up against a list of 20 to 30 vendors. It is important to evaluate providers to narrow your choices down and focus on the one that best fits your organization’s objectives.
There are several requirements to consider:
Time to Value. Some automation and orchestration solutions can be up and running quickly, and significantly reduce the time it takes to integrate with the existing solutions in your environment.
Ease of Use and Deployment. There are different approaches to deployment; some are more simplistic than others. Some vendors make it as easy as possible, emulating a drag-and-drop workflow-style implementation to get your playbooks up and running. Others may require more of a development background, requiring scripting and coding skills that may not be present on your operations team. What all of the solutions will require is for you to understand what your processes are and how your analysts are working today to be able to automate those processes.
Strong Support Infrastructure. Products should have the infrastructure to ensure integrations into third-party products through their APIs. The reality is that APIs change, and you don’t necessarily own the integrations on the other side. If the APIs change, the orchestration and automation solution needs to have the support infrastructure to quickly update plug-ins or integrations, and enable the organization not to be impacted by any disruptions in service.
Scalability. Different providers have chosen different architectures. Choosing a product that is proven in large-scale environments to be able to handle the scale and velocity at which the market is starting to evolve is something to consider, so that it can scale with your environment in the long run.
Expertise. Evaluate the expertise behind the solution. Security automation and orchestration is a framework; it requires experts who really understand security, and can drive expertise from the front line and incorporate best practices. It is also important to ensure your organization has access to the right playbooks — whether they come pre-built for use out of the box, or an in-house expert designs them to either match or optimize operations.
Starting the Journey
Automation is a journey that needs to be taken in steps. Devising complex playbooks and processes that are the coolest you can come up with is not a good way to start. Focus on the low-hanging fruit. Start with use cases that are easy to implement and low-regret. One popular initial use case is around the “abuse mailbox”. Many companies have a mailbox dedicated to customers and users who think they’re getting suspicious emails with either URLs or attachments and aren’t sure if they should open them. Companies have to analyze the URLs and attachments in order to determine whether or not they’re malicious. This is easy for automation tools to take care of, as it only involves determining “yes” it’s bad, or “no” it’s not bad. It doesn’t require turning services off or remediating anything. Map out the processes that you want to automate over the first 12-24 months, focusing on use cases that require a low level of effort, are low-regret to implement and have a high return on time savings.
Protecting the Keys to the Kingdom
In addition to choosing the right use cases for your solution, it is important to protect it. Automation and orchestration tools will have integrations and credentials into your various third-party technologies; that’s the only way to truly orchestrate them. Therefore by nature, you’ll have a sort of SkyNet — universal control from one area — and so the threat profile changes a little. The orchestrator has the keys to the kingdom, and so securing it should be top of mind.
Fight Fire with Fire
Although the topic of automation isn’t new, it has taken on increased importance based on the intensive, sustained attacks being directed at organizations in all industries. According to a recent Cybersecurity Jobs Report, there will be 3.5 million unfilled cybersecurity positions by 2021; there are simply not enough skilled security professionals to address today’s threats. Hackers have turned to automation to advance their capabilities. In order to keep up with them, we need to do the same. By choosing the right automation and orchestration solution and use cases, your company can make better decisions from better data, increase productivity and strengthen your security overall.