What is Security Orchestration?

1
What is
Security Orchestration?
2
Introduction

• Some things just go together. Peanut butter and
  jelly. Gin and tonic. Bacon and more bacon. The
  same is true for security automation and
  orchestration. So much so that, the two often get
  used interchangeably. However, just like peanut
  butter will never actually be jelly, security
  orchestration and security automation arent the
  same thing.

3
Security Operation Tools

• The vast majority of security operations centers
  typically have dozens of security tools to
  detect, investigate and remediate threats.
  Because organizations have a tendency to favor
  investing in best-of-breed tools, most teams are
  left to manage tools that dont talk to one
  another. This in itself introduces a huge amount
  of inefficiency and wasted time as security
  analysts in enterprise organizations and managed
  security services providers (MSSPs) alike
  navigate multiple screens and learn a variety of
  systems to do their jobs effectively.

4
CyberSecurity SOC

• Security orchestration at its simplest is the
  connection and integration of an ecosystem of
  cybersecurity technologies and processes. It is a
  concept that is seemingly more elusive yet more
  necessary for todays SOCs than ever.

5
What Does Security Orchestration
6
Security Orchestration Remedies

• Teams have become accustomed to relying on tribal
  knowledge and filling in the blanks on their own
  as they investigate, triage and remediate
  security events. And did we mention that most of
  these tasks are done manually? Its no wonder why
  investigations take longer, steps get missed and
  each incident is handled differently. Security
  orchestration remedies these challenges by
  bringing together disparate tools so they work in
  concert with one another and by codifying and
  streamlining the processes that surround the
  technologies.

7
Going Beyond Alerts

• Context is everything when investigating a
  security alert. Lets say you have a user who
  received a suspected phishing email. On its own,
  that alert doesnt tell you much. You would have
  to put on your detective hat and start looking
  for other clues.
• What IP did it come from?
• Did any other users receive an email from the
  same IP?
• What does threat intelligence say?
• The list goes on and on.

8
Security CSI

• Security analysts roughly follow the same thought
  processes, often whiteboarding out the various
  steps, entities and relationships involved in a
  threat.
• This would be an important step for the team
  investigating our phishing example, and a
  time-consuming one given the amount of manual
  effort involved.

9
Teamwork Dream Work

• Investigating and remediating cybersecurity
  incidents is rarely a solo effort. Tier 1
  analysts often need to escalate to Tier 2 and
  Tier 3 personnel. Managers and CISOs require
  visibility and the ability to jump in when
  needed. Security orchestration provides a
  mechanism for collaboration by breaking down not
  just silos between the various security
  technologies, but also by providing a hub for
  security processes and the people running them.

10
How The System Is Going

• As with any technology, security orchestration is
  only useful if it works as intended. Measurement
  and KPIs are notoriously tough for SOC teams
  and thats when they know what to measure and how
  to best extract reporting from their various
  tools.
• Security orchestration enables robust reporting
  and business intelligence because of the way it
  brings together disparate tools and processes.

11
Conclusion

• Those in the know understand that security
  orchestration and its benefits stretch much
  further than simple security automation to bring
  together the various tools and techniques used by
  security operations. Yes, its easy to see why
  security orchestration and automation are used in
  the same breath they certainly go together. And
  really, would you want one without the other?