What Is Security Orchestration?

What is security orchestration? Our definition that we have here is a method of connecting security tools and integrating disparate security systems to streamline processes and power automation. What that really means is making security teams more effective.

Now let's go into some brief history about this. You may have heard of orchestration as a concept before, and that's because developers in IT operations have utilized this concept before in their workflows. Historically developers in IT operations used to work very heavily in silos, but by utilizing orchestration and automation they've been able to bridge the gap and collaborate together. Us, in security, have seen the sort of revolution over on that side of the organization, and so it made natural sense since it had been effective for them, to try to apply it to security to see if it's going to be effective for us.

That leads me to the why now portion. Why security orchestration, why now? What this really boils down to is three talking points, and that is disparate environments and tools, so there are so many environments out there, there are so many networks in a single organization, there are devices, there are tools, there are products. The problem is none of these are connected, so this leads to another problem, which is probably the major problem of overwhelm security teams. Security teams right now are already dealing with a complexity of attacks, different tools that exacerbate the problem as well, and again none of these are connected. They get so many incidence and alerts in every single day and they are not enough people to handle all of these things coming in.

To add on to that there's a cybersecurity talent shortage, so even if they could hire people and they want to hire more people to fill these roles, there aren't enough to hire them. What this really boils down to is teams can't keep up. Orchestration and automation are natural fits to help solve for these many challenges that security teams are facing today.

The way that I like to look at it is orchestration is process-based and automation is task-based. You can automate a series of any amount of tasks that you want, but automation solely alone is just task based. With orchestration, the process behind it, you can tell what automated tasks to automate and in what order they need to automate in. Use case in action to help you understand these concepts is a problem that almost every organization faces today, and that is phishing.

The way security teams today usually handle phishing without orchestration and automation is a member of the organization will forward an email to the security inbox and the security team will triage out of that inbox. All this is done manual right now, so someone forwards an email, a security practitioner takes that email, and the things that they will do are grab the attachments and detonate them in a sandbox. They're going to grab all of the URLs, any links, any domains, and they're going to run them through threat intel sources to see if there is malicious information in them. They're going to do several of these and probably several different tools to have a confidence level to say, "Yes, this is phishing, or no this is not phishing."

By this point, this usually takes about 30 minutes per email potentially for them to manually do. On the other hand, with orchestration automation you can automatically detect when a new email hits an inbox, you can automatically grab the attachments and detonate them, you can automatically grab the URLs, the domains, and then throw them through threat intel sources, and you can serve up a report to the security practitioner. The difference there is that might take only a few minutes where this takes 30 minutes.

Not only does this help them tackle more of these potential phishing threats every single day, but it allows them to reduce their time to resolution, which really means you're reducing your exposure to potential compromise.

That's it for this week's Whiteboard Wednesday. We'll talk to you next week.