Begin by Automating Routine Security Activities
The first step toward managing the cybersecurity workload is to deploy automation throughout existing processes. It’s no longer possible for human analysts to manually review logs and assess every anomalous event they discover. Cybercriminals are using technology to scale and automate their attacks, and cybersecurity professionals must do the same to have any hope of keeping stride with their adversaries.
Cybersecurity teams should routinely evaluate all their work to identify opportunities to automate as much routine activity as possible. They may add automation to existing workflows by incorporating automated threat intelligence, change control, configuration management, incident detection and response, and other time-intensive security activities. Reducing the time spent on routine work allows cybersecurity teams to refocus their efforts on high-value activities.
Integrate Security Tools with Orchestration
Security automation is only the beginning. Automation approaches simply take existing work and make it more efficient. Security orchestration seeks to take the untuned notes of dozens of different security instruments and turn them into an accomplished symphony that executes with grace and elegance.
Security orchestration efforts integrate a wide variety of security tools, allowing them to efficiently feed information to each other and respond to events even when information is spread across multiple systems. Orchestration provides an organization with a common language for describing security events and a consistent strategy for addressing them. Orchestration tools serve as a platform for triggering automated response workflows and alerting human analysts when intervention is required.
For example, consider a brute force password guessing attack. Security automation techniques might automatically process logs and report that there were dozens of attempts to log in to a user account from a remote IP address, the last of which was successful. An analyst might review that analysis and then run a script that locks out the user’s account and opens a help desk ticket to contact the user for resolution. The analyst might also quickly check to see what actions were taken by that user between the time of the compromise and the time of account disablement.
This scenario describes an efficient process. Automation allowed the analyst to quickly recognize the account compromise and handle some routine activities for disabling the account and notifying the user. There might be an additional opportunity to automate the account activity review, but this response is well automated.
Orchestration would take the response to a much higher level. In an orchestrated environment, the security information and event management system might detect the brute force attack and then automatically trigger the account disablement workflow before pulling log entries for human review. This involves reaching across a variety of systems, but the integrated nature of the platform makes this possible. When an analyst arrives at work in the morning, he or she is simply reviewing the work that already took place through automation and does not need to take any action. In fact, as confidence grows in the process, the orchestration may simply happen in the background, dramatically reducing the need for human review.
Security automation and orchestration techniques are crucial to survival in the modern threat landscape. Attempting to counter modern adversaries with manual processes is fighting a losing battle. As attackers automate their offense, security teams must automate and orchestrate their defense.