Security Orchestration Fine-Tunes the Incident Response Process

Emerging orchestration technology can cut labor-intensive tasks for security analysts.

Dark Reading logo in a gray background | Dark Reading

The typical large enterprise has dozens of security products and too few security analysts to handle the manual sifting through the haystack for that deadly needle that could be an actual infiltration or imminent attack. It can take a security analyst anywhere from two- to four hours to resolve an incident, according to a recent study by Splunk. By then, an attacker could be burrowed too deep inside to stop the damage.

And then there's the lack of personpower on the security team: new (ISC)2 data projects 1.8 million cybersecurity job vacancies worldwide by 2022, an increase of 20% since 2015.

Enter security orchestration, an emerging technology that integrates various security tools and systems to streamline and better inform the security operation. Orchestration often gets confused or lumped with security automation, which is typically is used for a single task or process, according to the Enterprise Strategy Group (ESG).

Because security orchestration is still a relatively new technology and market, there isn't much data yet, but Jon Oltsik, senior principal analyst with ESG, estimates it's somewhere around $100- to $150 million. According to a recent ESG-DFLabs study, some 90% of organizations plan to deploy, or have already done so, automation and orchestration technologies. More than one-third consider orchestration a priority over automation.

Think of security orchestration as "a layer of connective tissue" that unites security tools, explains industry veteran Oliver Friedrichs, founder & CEO of Phantom, an orchestration startup.

"So if you have a Palo Alto Networks firewall, EDR [endpoint detection and response] from Carbon Black, and threat intel from FarSight, orchestration allows all those to work together. So if you have a threat that Palo Alto sees, you can query it from FarSight, and block the file on Carbon Black," he says. "Today, that's being done manually."

Manually, that is, by security analysts working the monitors of each of those security systems. It can take hours for a security operations center (SOC) staff to spot an incident, and often that's too late to stop exfiltration of data.

The most popular use of the security orchestration so far is for relatively simple and monotonous tasks like investigating phishing attacks, as well as for automating low-level remediation required for things like blocking known malicious command and control IP addresses, for example.

Several startups and acquisitions have arrived in the orchestration space over the past couple of years. Phantom, Demisto, DFLabs, Komand, Swimlane, and IBM Resilient, are among some if the vendors this space, as is FireEye via its Invotas acquisition last year. The newest member of the market is Microsoft, which today announced its plans to buy Hexadite

Orchestration technology is a way to bring together existing and "next-generation" security technologies so they aren't stuck as just stovepipe improvements, notes Ted Julian, vice president of product management at IBM Resilient. "This the most potentially transformative area in the security realm I've seen in the past 12 years. Everything else is incremental."

ESG's Oltsik says orchestration and automation are both hot topics now in security with more funding for startups and enterprises starting to "kick the tires."

"The reason is that CISOs realize that they are just so resource-constrained, and they can't hire their way out of this. If they know what they are doing and need help, they will find some type of intelligence – machine learning or automation and orchestration, or outsource," he says. "Orchestration and automation are so attractive because security people don't like to give up control. This is basically a helper app … It makes sense this is the first thing to do."

How it Works

Security analysts typically manually pull and then cut-and-paste intelligence and information from their various security tools. Orchestration pulls that intel for them, which lets security experts streamline and automate some of the more mundane tasks and have more time for the more involved and serious incidents, experts say.

Jerry Dixon, CISO at security firm CrowdStrike and former US-CERT official, says the technology lets you set up a playbook or more automated and integrated process for handling incidents. "It quickly brings data to the analyst to triage and determine if there's something they need to worry about or not," he says.

Custom Python scripts are the usual fare for streamlining or automating things in a SOC, he says. "The problem with that is when someone moves on to another company you're stuck trying to make all this stuff work. The nice thing about orchestration tools …. Is it allows you to leverage that expertise and set up playbooks," Dixon says.

Shortage and retention of security staff are one of the big drivers behind orchestration. Sandro Bucchianeri, a veteran CISO for a global financial services firm, says he's looking at using orchestration, automation, and machine learning to give his already resource-strapped security team some breathing room.

The firm sees millions of alerts. "Getting these guys to focus on alerts is a massive waste of time because they have to manually do it and vet everything that comes through," which sometimes leaves some alerts on the cutting floor.

Finding and then retaining security people is one of his biggest challenges, he says. "The biggest problem is retaining that talent" after finding and training them, he says. "The next company comes along and offers than $10,000- to $20,000 more, and all that training and legacy knowledge goes [out the door] with it," he says.

Bucchianeri says these issues have driven his firm, the name of which he asked not be published, to start contemplating orchestration for phishing response, reducing false-positives, and automated reporting. "Phishing is the single biggest thing we face, [including] whaling attacks for our execs," he says.

On the business side, security orchestration inherently provides tangible data on time and cost savings that then can be used to justify security budget or purchases, Bucchianeri and other security experts say.

"We know what an analyst costs us," he says.  If security orchestration can save four house of labor a day, that's a quantifiable piece of information that translates to upper management, he notes.

IBM's Julian echoes that. "Having a conversation grounded in business terms puts you in a better position to advocate for what you want to do," Julian says.

How to Orchestrate

Before installing orchestration software or services, be sure the process you're orchestrating is well-understood, notes IBM Resilient's Julian. "We think everyone should start with orchestration if only to validate a process," he says. It gets the organization a consistent, repeatable process in place.

The danger of deploying orchestration without proper planning and preparation is that you could merely automate a lousy process rather than improve and streamline one. "It doesn't make sense to orchestrate a bad process. That's one of the things that holds up or slows people down" from rolling out orchestration, Oltsik warns.

Like many security operations, people and process also need to be considered and synced. Gary Ruiz, senior manager of cybersecurity at Rackspace, says it's important to communicate and work closely with security analysts when setting up orchestration operations.

"Everybody is used to doing this manually," so training security teams and reassuring them that this will help and not necessarily replace them can be challenging, says Ruiz, whose company is test-driving Phantom's orchestration system for phishing attack response.

Related Content:

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights