Often, the biggest problem facing Security Operations Centers is not an inability to detect security threats, but rather the methods in which security teams address those threats. With their reliance on manual processes and disconnected point solutions, security analysts are overwhelmed by the plethora of alerts they are expected to triage (both in number and nature of those alerts).
Profile of time & resources of a typical SOC
A disproportionate amount of time and resources are consumed with Tier 1 analysts manually triaging low priority alerts. With a majority of resources being invested in diagnosing whether one alert or many alerts represent a case worth responding to, security teams have a limited capacity to actually assess, and ultimately, react to high priority cases.
Even beyond the efficiency of a SOC, the analysts themselves are taking a hit. With an immense pressure to evaluate this large quantity of alerts, analysts quickly burnout, typically only lasting a little over a year.
In order for security teams to more effectively combat the constantly-increasing number of security attacks and better retain their analysts, they need to re-think the way they approach allocating resources towards incoming threats, to maximize efficiency and productivity throughout security operations.
Security Orchestration is the Solution
Security orchestration bridges the gap between alert overload and analyst capacity. Executed effectively, an orchestration platform creates the integrated fabric across the security footprint bringing simplicity, context, and efficiency throughout security operations and incident response.
Building Blocks of Effective Security Orchestration
Effective security orchestration requires a tightly coupled platform that provides robust capabilities across a multitude of components, each with distinct but important capabilities. At the end of the day, the effectiveness of orchestration is only as strong as the weakest link. With a set of isolated security processes, the entire system can be weighed down if even just one part is weak or unreliable.
Security orchestration is built upon a comprehensive process from detection through response. To be effective, this process must be built on context. The underpinning of this relies on enrichment, clustering, and contextualization leading to prioritized cases fully enriched to enable rapid triage. It is not about the individual alert but alerts in relation to other important resources such as asset management systems, user’s, threat intelligence, and other alerts in most cases. This needed context is not easy to achieve with the typical SOC footprint. As a matter of fact, time devoted to gathering all relevant data pertaining to a case was rated the most time-consuming activity for Security Operations in a recent customer survey.
Defined playbooks span the entire security operations landscape. With so much of the response process residing solely in the minds and personal preference of individual analysts, the need to define, document, standardize and execute workflows to drive consistency is essential. The workflow connects the disparate tools across the security footprint in the appropriate order for the defined purpose.
Security Automation refers to the process of executing IR workflow without human intervention. The list of individual processes that can be automated is growing. And effective automation simplifies routine tasks to execute them with far more efficiency. Yet, even the most advanced automation systems filter only a percentage of security alerts that register on a company’s network. It is important to recognize that automation alone is not the answer. As part of the broader solution, we aim to strike a balance between automated workflow and human intervention to drive the optimal response throughout the orchestration process.
Effective case management provides visibility on the status of all types of cases and ensure that critical cases are not overlooked. It also allows security cases to interlock with broader IT and operational needs within the company.
Many triage and determination decisions require human intervention. Properly armed analysts should be able to assess the severity of a case in seconds. Through a graph structure and representation, analysts are able to visualize the entire threat storyline to accelerate decision making, escalation, and investigation where needed.
KPI / Business Intelligence
“What get’s measured gets managed”. With a common centralized platform, the ability to measure, track, and report key performance data becomes a reality. It is important to manage the complete security operations; ergo you need to measure the performance of people, process, and technologies. Analysts and SOC management must have visibility to critical KPI’s, where resources are spent and access to data-driven dashboards to measure critical data points throughout Security Operations. Furthermore, with Board level oversight on the rise, having visibility and situational awareness across the entire security footprint has never been greater.
All of these orchestration capabilities coupled together provides the needed single pane of glass, or “workbench” if you will, for analysts to navigate their jobs effectively, giving them command and control to confidently address all types of alerts and threats.
In summary, effective Security Orchestration needs to encompass security operations processes from end to end; gathering data from multiple security controls, consolidating the relevant data for security analysts to make the appropriate determination of the case with necessary context, executing the incident response flow with appropriate automation and/or human intervention, and ongoing visibility and situational awareness. To avoid piecemeal solutions that merely exacerbate the status quo or might even become detrimental, organizations should look to innovations that take all of these aspects into consideration in order to raise the performance of security operations to new heights, driving ROI throughout the security operations ecosystem.