Technology as a whole goes through shifts, and the security industry is no different.
Over the past three years, we've seen machine learning and artificial intelligence being injected into almost every area of the industry. The reason this technology has been so widely adopted is due to the proposed value of increased operational efficacies within an organization's security program. We see this today as security automation and orchestration (SAO) tools enter the market.
Security automation and orchestration enable us to arm our security teams with the tools they need to detect and display actionable alerts in an efficient manner. We've seen SAO tools added into popular SIEM systems, such as LogRhythm's SmartResponse or Splunk's acquisition of Phantom, to create a more streamlined method to detect and respond to threats.
This functionality helps security operations teams decrease metrics within the mean time to detect (MTTD) and the mean time to respond (MTTR), enabling incidents to be neutralized more proficiently. However, these tools aren't a panacea, and security operations teams get out what they put into the implementation with a continuous review of their technology, procedures and training.
When it comes to utilizing the technology to assist with security automation and orchestration, one of the most important considerations is validating that your current infrastructure will be supported. We're seeing security automation and orchestration technology being integrated into SIEM systems to assist with the streamlined detection and response to events, and being able to incorporate the rest of your environment is critically important.
Depending on the SAO product, there might be a need to rely on APIs or to use the events that are already stored in a central repository. The goal is to easily integrate the systems and technology you're using today with the fabric of SAO to tie them together.
It's important to select an SAO system that is open enough when considering new technology -- being locked into using a particular vendor's technology for your SAO defeats the purpose. The central repository of data and configuration is the lifeblood of your SAO implementation.
Depending on its use, the data being fed into the system will determine how effective an implementation is. Before an SAO system implementation is done, the organization should determine what their pain points are and how this technology can assist the security operations team to reduce network risks. This is done by applying these tools to defend against threats using the technology and data already in your organization. Accomplishing this requires constant care, but the more time you put into the technology, the better the efficacy of the responses will be.
Many SAO systems incorporate an automatic response to threats, but there are a few different paths of escalation after a threat is identified.
The quickest way to contain risks is by having the SAO system automatically programmed to take action. This enables the prompt containment of threats, but it could also potentially create problems if a false positive is generated and acted upon -- resulting in the quickest recovery with the greatest risk. Therefore, this should only be used for alerts with a high efficacy rate.
Another option for alerts is a manual response. During an investigation, it's possible for analysts to come across an issue and manually trigger a response from the SAO to have the connected systems act on their findings. While this is less risky, it is more time-consuming when it comes to the MTTD and MTTR of the incident response lifecycle.
A third option is the system taking all the steps that it would with an automatic response, but seeking approval before it takes action.
These response options should be used based on the type of alert and how confident the organization is about the data's ability to produce the intended results.
These response choices enable detailed workflow management that can assist security operations teams with creating a standard for incidents. This standardization of automation means that the workflow of events will also be triggered during an incident, enabling a more fluid incident response process. In many systems, this can lead to case creation being included within the response based on the organization's ticketing system.
Likewise, depending on the systems in use, you might need to collect and automate particular artifacts. This process helps keep the integrity of the data by eliminating human error where possible.
For example, if an event is detected on an endpoint, then part of the process would be to include a forensic capture of the memory, to remove the system from the network via a firewall or network access control product, and to notify the operations team. The ability to have all of this automated helps with isolation and gives shape to your IR plan. By taking your existing environment and using SAO technology, your organization can get additional value out of its current investments.
We are seeing many vendors tout their products as replacements for entry-level analysts. When any form of automation takes place, we see the adoption of technology, which creates a more streamlined workforce.
In my opinion, I don't think SAO will replace analysts, but rather supplement and guide them in their current roles. Right now, we're seeing vendors put value on an analyst in a box approach, but this will never be able to fully remove people from the industry. However, it can help those already in the field to sharpen their axes and become better at defense and detection, while supplementing lower level junior roles to better understand threats.
In many ways, I see this as the evolution of SIEM and the refining of an industry, not a replacement of SIEM or analysts.
Security automation and orchestration are both strong buzzwords in the security industry, and I feel that they'll become standard as both the industry and customers expect the technology to follow certain trends that will make the lives of their operations teams easier and reduce risk in the organization.