16 Oct Cybersecurity orchestration is key to a safer environment
Those concerned about becoming a cybersecurity headline will do well to dwell on orchestration. Writing for our Cybersecurity Awareness Month coverage, Vibin Shaju, VP Solutions Engineering EMEA, Trellix, says it is the quickest route to a safer environment.
The headlines are plentiful, as are their numbers — cyberattacks in the Arab Gulf region are on the rise. It started with lockdowns, but while we were able to come up with vaccines that were extremely effective against Covid strains, to this day no such global fix is available for cyber breaches. The picture painted of today’s SOC is familiar and vivid. More IT complexity; more third-party networks; more personal devices; more users; more attack surface. More problems. On the flipside: less visibility; less resources; less time; less incentive for security staff to stick around; less talent. Less chance of staving off an attack.
These challenges are evidenced in Trellix’s recent Mind of the CISO report — two thirds (66%) of CISOs in the UAE and KSA still believe their organisation lacks the right people and processes to be cyber resilient and almost three quarters (74%) believe their current technology setup is insufficient.
Security orchestration can come to the rescue here. It simplifies and shrinks the threat response process. A range of technologies come together to automate tasks that can be easily broken down and algorithmically defined. Orchestration does not call for an automation of everything. Some tasks are unnecessary and can be jettisoned. Others require human-like reasoning. If the focus is kept on the potential for high-value output, and the task is repeated often or consists of repetition, it is a prime candidate for orchestration.
It’s about time
When an alert is first raised, analysts look for information such as email address, domain, IP, or URL to see if they are on any watchlist. There is no reason why automated services cannot query domain resources such as WhoIs or threat intelligence feeds such as VirusTotal. Even though these initial queries are straightforward, they can take up to 15 minutes each. If we consider the volume of alerts to be in the hundreds (which they often are) per week, it could take the entire working week of an analyst, or perhaps multiple analysts, to get it done. In other words, orchestration gives us alert enrichment.
The same can be said of potentially harmful emails. Once a security professional is informed of a suspicious message, they parse the email and its components, including source, links, and attachments. Tens of minutes multiplied by hundreds or even thousands of messages a week equates, again, to several analyst-workdays of labour. All this work, including report composition and quarantining, can be automated.
It is a similar story with endpoints. Analysis is routinely followed by decisions over whether to quarantine the device. Queries are repeatable and hence automatable. Indicators of compromise (IOCs) can come from network, email, and sources. Already you can see the pattern: time per alert multiplied by number of alerts resulting in time wastage that amounts to multiples of a human analyst’s weekly workload.
Practice makes perfect
Orchestration is the answer, but only if one observes the requisite best practices. Timing and selection of when to automate or orchestrate operations is critical. You must also take care in deciding the manner in which things are orchestrated. Orchestration comes with a price tag, like every other digitalisation strategy. Carefully choosing where to deploy it is therefore financially prudent. Assemble everything you know about your environment and, through collaboration among security professionals, determine where the low-hanging fruit dangles. This process involves identifying any high-value, regularly repeated processes. These will become the automation targets.
Once you deploy automation, your security talent will be free to devote themselves to the other side of security operations — threat hunting. Remember that by this stage we have taken all the repetitive grind from their plates. They only respond to alerts that have a high probability of being genuine threats. Their expertise is leveraged in doing the things that only humans can do. Orchestration involves not only automation but simplification and optimisation, further improving the employee experience for all those working in the SOC.
To a security nerve-centre, data is everything. Making sure data is clean, consistent, and accurate is a mission-critical requirement of security orchestration. The centralisation of security intelligence and operations is the central goal. Orchestration will be a key enabler of this objective, but it will not work if all data feeds are simply combined. This may just lead to white noise and an even more hectic ecosystem. Data playbooks should be used to correlate and integrate data from different sources. The playbooks will document processes programmatically and include details of contingencies. These processes can then be mapped onto a human or machine task as needed.
Finally, as the orchestration team narrows its decisions on which security processes will be automated, it should think in terms of optimising operations. Remember that it is perfectly acceptable to dump a task if it does not add value. If wondering whether value is added, ask what its outcome is. And if the task adds value, then consider if there are other ways to achieve it. Can the process be streamlined to fewer steps?
One of the major benefits of orchestration is its universality. It can add value for any enterprise at any scale in any industry. Adopters do not need to attain a particular level of maturity before implementation. They need only follow the best-practice principles laid out here. Understand the environment, familiarise yourself with the resources on hand and the risks inherent to your unique business, and formulate security goals that match this discovery process.
Automate selectively and reclaim time for security talent. Do this, and they will become threat hunters. This increases cyber maturity and reduces risk.
Vibin Shaju, VP Solutions Engineering EMEA, Trellix