Top 10 Ways Security Orchestration Is Transforming Security Operations
Posted by on June 04, 2019
Jeff Battaglino is a well-seasoned IT professional who has focused his career in IT service management, compliance, and security for more than 25 years. He has served in management capacities in retail, manufacturing, financial services, higher education, and technology organizations. He is ITIL v3 certified, HDI Help Desk Manager certified, and is a certified administrator of four of the leading ITSM applications. He has been a frequent presenter at ITIL- and ITSM-focused conferences for more than 15 years.
Security orchestration is just one part of a new family of enterprise security software products known as security orchestration, automation, and response (SOAR) solutions. SOAR solutions are relatively new in the marketplace, with a 2018 Gartner report estimating that under one percent of enterprise security teams had started using SOAR tools in 2015—but that adoption would increase to 15 percent by 2020.
SOAR technologies, and security orchestration tools in particular, allow companies to collect and aggregate all of their security threats, alerts, and data from various applications and sources and aggregate them in one place.
As cyber attacks and other types of security threats have become increasingly common in the digital age, organizations face an uphill battle against incoming security threats and alerts across applications. At the same time, many organizations experience staff shortages in information security roles, making it difficult for existing staff to respond effectively to this growing volume of alerts and notifications.
Corporations have justifiably tried to secure their assets against cyber attacks by adopting a host of best-in-class security tools. A sophisticated corporate operations center may have deployed a security information and event management (SIEM) system, a dedicated incident response platform, tools for user and entity behavior analytics (UEBA), intrusion detection and prevention (IDPS) software, and security applications with various functionalities.
The role of security orchestration software solutions is to integrate the information that corporations collect from their existing security applications and infrastructure into a single interface where IT operators can investigate threats and vulnerabilities more efficiently, identify the root cause of an alert or security notification, and implement a solution as quickly as possible to minimize business interruptions.
How Is Security Orchestration Transforming Security Operations?
Security orchestration tools are playing a transformative role in corporate security, helping enterprise security professionals use their time more efficiently, expediting the investigation of security threats, and reducing costs throughout the process. As organizations increase their adoption of security orchestration tools over the next five years, here are 10 ways that SOAR solutions will transform enterprise security operations.
1. Security Orchestration Integrates Multiple Security Solutions
Until recently, enterprise organizations with robust security needs found themselves in a catch-22 with respect to cyber security. The landscape of available software tools included incident response platform tools, IDPS, and UEBA applications, with each tool being specialized for specific types of threat detection. Corporations realized that they could enhance their security position by adding additional security monitoring apps, but what happened was that each new tool placed a disproportionate burden on security staff who now had additional alerts and notifications to investigate and respond to each day.
This meant that organizations with the best application coverage had the most difficulty effectively investigating threats, while the ones with fewer security monitoring tools missed too many threats for their systems to succeed. Security orchestration software addresses this dilemma by integrating data from the organization's entire suite of security monitoring tools, allowing IT professionals to integrate their external threat intelligence systems with security data collection and analysis. An integrated security management system means that organizations can maintain a robust profile of security tools in a way that actually expedites the threat investigation process instead of delaying it.
2. Security Orchestration Reduces Response Times to Security Threats
Security orchestration reduces the threat response and resolution time for IT professionals working in enterprise security.
Consider two enterprise organizations, each running 10 separate security monitoring tools. At Alpha Corp., security orchestration has yet to be adopted and IT operators must individually monitor each security tool for alerts and notifications. At Beta Corp., IT operators manage enterprise security through an integrated security orchestration platform.
Now consider what happens when both companies experience a cyber attack. At Alpha Corp., IT operators have to access 10 separate applications, reviewing notifications and security alerts from each of these sources to determine what happened. Information may have to be manually aggregated from various applications to create an accurate picture of where the attack originated and what systems could be affected.
Meanwhile, Beta Corp. was able to view all of the notifications and alerts at the same time in an integrated platform. Not only that, the data was integrated automatically and easily accessible in its entirety to anyone with access to the security orchestration platform, with no need for manual aggregation. As a result, Beta Corp. was able to quickly understand the problem and start to mitigate damages while Alpha Corp. was still trying to piece together what happened.
3. Security Orchestration Streamlines or Automates the Investigative Process
To keep up with the growing number of security alerts that corporations receive each day from their monitoring applications, there is an immediate need for automation in enterprise security. Effective security monitoring must strike a delicate balance between automated processes and manual intervention—automation is appropriate for tasks that are routine and predictable, while a human touch will still be required for things like threat investigations.
Still, routine security operations such as provisioning and deprovisioning access (identity and access management), installing patches, detecting malware, or conducting IP scoring can save IT operators time and save the corporation money when automated. The combination of security orchestration and automation allows IT organizations to automate processes that require input from more than one security application.
4. Security Orchestration Reduces Business Downtime and Mitigates Damage from Cyber Attacks
Cyber attacks can have damaging consequences for corporate organizations, including the theft of corporate data, disruption to the business, or breaches of customer data that result in notification and legal costs and damage the firm's reputation. A group of academics compiled a list of 57 negative impacts of cyber attacks.
With SOAR software tools, IT organizations can implement a rapid one-two punch response to cyber threats. Security automation allows IT organizations to respond automatically to threats by protecting potentially vulnerable data with automated processes. Then, IT operators can access the security orchestration platform to quickly evaluate and mitigate the threat without having to sort through alerts from 10 different security applications.
5. Security Orchestration Helps Contextualize Security Threats
When responding to a security alert, IT organizations investigate myriad sources of data and information to understand the context of a security threat notification. Context refers to the circumstances that surround an individual alert, notification, or threat report—information that must be collected to fully understood and assess the threat to the organization.
In the security operations center (SOC), IT operators develop contextual understanding of threats by investigating and correlating data from multiple sources. While individual alerts shed little light on whether a notification constitutes a false positive or a real threat to the organization, SOAR applications are used to combine information from multiple sources and deliver a holistic and fully contextualized perspective that pertains to a recognized security threat.
Rather than piecing together the context of an individual threat manually, a process that costs precious time when your organization is being victimized by a cyber attack, IT operators can now rely on security orchestration tools to assist in the process.
6. Security Orchestration Helps MSSPs Maintain Their SLAs
A managed security services provider (MSSP) acts as a vendor partner for enterprise security and provides outsourced management of security monitoring systems and applications. Things like virus and vulnerability scanning, network intrusion detection, managed firewall, VPNs, and even email filtering can be coordinated through an MSSP.
MSSPs that provide these crucial security services to corporations are typically bound by service-level agreements where they guarantee a specified level of business up-time and security response for the organization. When MSSPs breach service-level agreements in a way that harms their customers, they may be liable for damages.
MSSPs can implement security orchestration tools to expedite their security threat investigations and deliver better security services to their customers while remaining compliant with SLAs.
7. Security Orchestration Applications Facilitate Better Case Management
When organizations manage all of their security monitoring through separate applications, IT operators are required to investigate every alert and notification that comes through each of the various information channels. Sometimes, a single threat or incident can trigger alerts across multiple applications which must then be investigated separately to determine whether they are connected.
Security orchestration tools create a paradigm shift within the security operations center where IT operators can begin to manage security threats at the "case" level, rather than at the "alert" or "notification" level.
How is this achieved? Security orchestration tools make it easy to identify when a number of alerts across various tools are pointing at the same incident. Alerts that are triggered by the same event can be grouped into individual cases. Thus, instead of having IT operators investing 20,000 separate notifications each week, they may focus on investigating 2500 "cases" instead, with much of the investigative work automated through the organization's SOAR platform.
8. Security Orchestration Reduces Manual Processes and False Alarms
A major challenge in the traditional IT security ecosystem has been the difficulty of responding to an increasing number of alerts across the growing number of tools needed to maintain a tenable security posture. The addition of any software tool to an organization's security arsenal must therefore reduce workload for IT operators—not increase it—in order to be effective.
With SOAR applications, manual processes are readily automated by the security operations center, including routine responses to low-level security alerts that prevent false alarms. As a result, security teams can better focus their attention and energy on diagnosing and mitigating genuine security threats.
9. Security Orchestration Addresses Major Sources of Security Threats
The combination of security orchestration and automation allows IT operators to automate security responses that require input or action from one or more security monitoring tools. This means that enterprise organizations can implement automated, multi-step, predetermined responses to the most common types of cyber attacks.
Hackers and scammers are increasingly using phishing emails and social engineering attacks to trick employees into inadvertently divulging company data. With SOAR tools, IT operators can set up an automated response to suspected phishing emails that includes steps like:
- Analyze incoming email for signs of a phishing attack
- Identify and intercept emails that come from suspicious senders or blacklisted IP addresses
- Blacklist the sender of a phishing email and preventing them from sending emails to other company email addresses
- Notify security team members that a cyber attack was detected
The ability to respond to threats automatically from a predefined playbook can allow security orchestration tools to address major security threats mostly on their own, and often with minimal manual input from IT operators.
10. Security Orchestration Breaks Down Silos and Promotes Collaboration
Major security incidents at medium-sized or enterprise organizations are rarely resolved by a single IT operator and are frequently escalated through Tier 1 and Tier 2 support, eventually involving Tier 3 personnel, IT managers, CSOs, CISOs, and other stakeholders. In a traditional IT security environment, this can create complications as the information needed to assess a particular case may be distributed across five or even dozens of applications. With each stakeholder needing to access information from several sources to completely understand the issue, the collaborative resolution is significantly slowed.
Security orchestration platforms provide full visibility and accessibility into the security incident for all roles, so when an escalation happens, the IT manager can simply sign in to the SOAR platform, review all of the case-related notifications aggregated in one place, and more quickly develop their perspective on how to resolve the event. An integrated SOAR platform creates a collaborative hub where stakeholders can work together to resolve security issues, and where the streamlined flow and integration of information is a powerful advantage against cyber attackers.
Cherwell Service Management Offers Integration with Leading SOAR Platforms
Cherwell is constantly looking for ways to enhance its service offerings for enterprise security, both through its own proprietary Information Security Management Solution (ISMS) and through partnerships with industry leaders in corporate cyber security.
In 2018, Cherwell announced a partnership that sees our award-winning Cherwell Service Management platform integrated seamlessly with Ayehu's robust, artificial-intelligence-powered SOAR solution. The integration of Cherwell's ITSM and ITOM capabilities with Ayehu's intelligent automation and orchestration means that IT departments can:
Learn more about how Cherwell's service platform can help you maximize the impact of your SOAR solution and secure your organization against cyber attacks.
Ebook 5 min
The Definitive Guide to Service Desk KPIs and Metrics
In this comprehensive guide, you'll learn how to develop a portfolio of ITSM KPIs and Metrics that support not only your own IT team's goals, but also the business outcomes your service desk is expected to deliver.
Ebook 7 min
7 Deadly Sins of ITIL Implementation
Wondering whether ITIL® is still relevant in today's fast-paced digital environment? ITIL holds many timeless truths, but it can be misapplied when taken too literally. Uncover the seven mistakes commonly made with ITIL implementations, and gain guidance on how you can go faster—while still upholding ITIL's key principles.
Analyst Research 10 min
NEW! Gartner 2019 Magic Quadrant for ITSM Tools
Considering a new ITSM solution? Start with a complimentary copy of Gartner’s 2019 Magic Quadrant for IT Service Management Tools. The Magic Quadrant provides an evaluation of ten ITSM vendors—along with their viability, strengths, and cautions—and recommendations for defining your requirements
You might also be interested in
7 Hidden Benefits of IT Security Compliance for Your Business
To help you avoid costly data breaches, we've listed out some hidden benefits of IT security compliance for your business.
Blog 25 min
How to Implement ISMS Successfully
Get background information on information security management systems, as well as ISMS implementation best practices so you can protect your organization's critical data.