Page 20 - Cyber Warnings
P. 20
Security Orchestration is more than Automation
The Myth of the Unmanned SOC
by Amos Stern, CEO, Siemplify
It’s no secret that security operations is under fire. In most enterprises, the only thing standing
between a normal day and a financially devastating data breach is the security analyst. Yet,
despite decades of investment in cyber security protection, detection, and intelligence tools, the
analyst lacks a centralized software platform to operationalize all of this data in time to
effectively prevent breaches from occurring. Drowning in a sea of alerts, and with the business
on the line, SOC analysts are desperately seeking solutions. Automation is being hailed as the
answer.
But what does “security automation” really mean?
Automation is only one facet of Orchestration
Among cyber professionals, orchestration and automation are frequently used interchangeably.
Some have positioned orchestration as the “next” phase of automation. It’s no wonder security
leaders are confused. In our review of the landscape, almost all automation point solutions
simply remediate individual, low level alerts. The idea is that this will offload a portion of the
analyst workload to free up time to investigate the important stuff. But with what tool?
To be clear, automating the response to low level, false positive, and duplicate alerts is just one
piece of orchestration. The list of individual processes that can be automated is growing. And
effective automation simplifies routine tasks to execute them with far more efficiency. Yet, even
the most advanced automation systems filter only a percentage of security alerts that register on
a company’s network.
Even if organizations could automate the full scope of alerts, leaders are simply not inclined to
turn the complete control of their security to a black box. Thus, for most organizations, incident
responders are still required to sort through alerts and make the tough calls as to whether an
attack is truly occurring. The analyst is more important than ever. The question is how do we
empower them and strike the right balance of machine driven vs. analyst driven response. The
answer is orchestration. In security parlance, orchestration is a method of connecting security
tools, integrating disparate security data, and providing security teams the broad functionality to
respond to all types of threats. When executed properly, it is the connective tissue that
streamlines security processes and powers effective security response.
Effective Orchestration Applied
You cannot find or eradicate the threat by playing whack-a-mole with individual alerts. Humans
must contextualize alerts and security data into a threat storyline, using automation as an
enabler along the way. Comprehensive security orchestration is all about providing the
20 Cyber Warnings E-Magazine December 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
