Best Practice:  Security Operations Automation before Orchestration

cyber-exec.jpgBased upon numerous conversations with CISOs, there is widespread interest in automating and orchestrating security operations. In fact, lots of enterprises are already doing so. According to ESG research, 19% of enterprise organizations have already deployed security operations automation/orchestration technologies "extensively,” while another 39% of enterprises have done so on a limited basis.

Now we tend to lump automation and orchestration together, but there are vast differences between the two. In a recent survey on security operations, ESG defined these term as follows:

Automation refers to using technology to automate some type of security operations task. For example, an organization could create remediation rules by using indicators of compromise (IoCs) found in threat intelligence to generate rules for automatically blocking malicious IP addresses, web domains, and URLs. Typically, automation refers to a single process or task.

Orchestration refers to the stitching of software and hardware components together in support of some type of multi-phased security analytics or operations process. Orchestration is also associated with the connection and automation of security workflows to deliver a defined service. For example, an organization could orchestrate the workflow associated with a security investigation or patching a software vulnerability. Orchestration is often associated with improving collaboration between individuals or groups (such as the cybersecurity and IT operations groups).

Based upon these definitions, ESG asked survey respondents which was the higher priority—security operations automation or orchestration? The results were clear: 66% of survey respondents say that automating security analytics and operations is the higher priority while 31% say that orchestrating security analytics and operations is their higher priority (note, 3% said “don’t know”).

Why the skew toward automation? Security operations is fraught with countless mundane tasks—fetching data, tweaking device configurations, implementing rules for blocking known bad IoCs, etc. In a recent SOAPA video, ServiceNow’s GM of security, Sean Convery, mentioned that one company he worked with spent about 40% of their incident response time just figuring out who owned a particular IP address. Holy cow!

Now due to the cybersecurity skills shortage, many organizations are understaffed and lacking advanced skills in areas like security analytics, forensics, IR, etc. Given this, it’s absolutely criminal to ask valuable security professionals to spend their time on mundane tasks that could be automated. CISOs get this, which is driving demand-side activity and supply-side buzz on security operations automation tools.

What about orchestration? Well, in truth that’s a bit harder. Orchestrating a process means understanding the workflow from end to end, integrating all the data needed to support that process, documenting, managing, and tracking the lifecycle of that process, and supporting all the necessary handoffs from person to person and between security and IT ops teams. 

This assumes that:

  1. There is a formal process in place that can then be orchestrated.
  2. Someone understands all the steps associated with this process.
  3. The process itself is sound.

Unfortunately, these assumptions are often incorrect. Security operations processes are often informal based upon the experience, tool set, and personality of tier-3 analysts. Due to this informality, no one may truly understand all the steps involved. Finally, security processes have been implemented organically over time so it’s difficult for organizations to assess whether their security operations processes qualify as best practices or need improvement. As one CISO said to me, “the last thing we want to do is orchestrate a broken process.” 

I have no doubt that security operations automation and orchestration should be a high priority for enterprise organizations, but based upon ESG research and my experience, I strongly suggest that CISOs take a strategic approach here. Take the time to assess how things are done today. Compare notes with other organizations of a similar size and industry. Look for quick automation wins. Start with simple process orchestration to gain expertise with evolving orchestration technologies. Seek out best practices from organizations like ISO, NIST, SANS, etc. 

As my friend Bruce Schneier says, “security is a process not a product,” and Bruce couldn’t be more accurate when it comes to security operations. CISOs who take their time and focus on security operations processes will be able to improve security efficacy and operational efficiency. Those who dwell on the product will make marginal progress at best. 

Topics: Cybersecurity SIEM security operations automation incident response automation and orchestration