Decoded: Security orchestration

Security orchestration is a method of connecting security tools and integrating disparate security systems. Our latest Decoded article introduces the concept and the technologies as well as the benefits.

By Andy McCue

Tue 25 Jul 2017 @ 17:30

I'm increasingly hearing the term 'security orchestration' as a way IT security teams can better tackle today's cyber-threats. But what's it all about?

The simplest explanation is that security orchestration is a way of connecting disparate security tools and systems and automating processes to detect and respond to incidents faster. However, it's worth briefly taking a step back to understand the need for orchestration in the wider context of the changing security threat landscape.

OK, so how is that enterprise security threat landscape changing?

Cyber-attacks are becoming increasingly sophisticated through techniques such as spear-phishing, custom malware, zero-day exploits, social engineering and ransomware. According to research by analyst Enterprise Security Group, more than a third (36 per cent) of cyber-security professionals say keeping up with the volume of security alerts is their top challenge and, worryingly, some 42 per cent admitted their organisation ignores a significant number of security alerts because they can't keep up with the volume. The chances of being compromised are high and the cost can be devastating. The mean cost to companies globally went up in 2016 to $9.5m, according to the Ponemon Institute's annual cost of cybercrime survey. The reality facing enterprises today is that it's when a breach will occur, not if.

That all sounds pretty bleak. What can organisations do to tackle this onslaught of cyber-threats?

What we're seeing is a move from traditional prevention-centric security approaches to rapid detection and response. Analyst Gartner estimates nearly two-thirds (60 per cent) of enterprise security budgets will be spent on these detection and response approaches by 2020, up from less than 30 per cent in 2016. Perfect protection is simply not achievable, warns Gartner.

Why is it that rapid detection and response is so important?

The longer an incident or breach goes undetected, the greater the potential for devastating consequences. The sophistication of attacks and the sheer volume of 'noise' that security teams have to analyse means this is still a huge challenge for many organisations. The critical factor is the ability to reduce what is called mean time to detect (MTTD) and mean time to respond (MTTR). The median time from compromise to detection actually fell by nearly 50 days in 2016, but at 99 days it's still a pretty shocking figure.

I'm guessing that's where security orchestration comes in, right?

Exactly. Security orchestration enables time-stretched and overloaded security analysts to quickly make sense of the noise from all their tools and systems, detect potential breaches, streamline investigations and resolve incidents faster. It prevents threats slipping through the net.

So how does security orchestration actually work?

It is a platform to integrate existing security tools and systems. Organisations can replace slow, manual processes with automated actions and responses to incidents. Centralised workflows enable the prioritisation of tasks and recommend the best course of action, ultimately reducing those all-important MTTD and MTTR times.

What kind of technologies does security orchestration incorporate?

There are many elements to any security orchestration and automation platform. Instant automation enables security teams to set up immediate investigation and remediation responses for certain activities detected in the IT environment, which means faster recognition and mitigation of threats. Threats can be automatically assessed and scored against risk factors so that those posing the greatest risk can be given higher priority. A customisable centralised workflow interface provides real-time feed of investigation and response activities and enables the creation of a case with a single click. A central repository for evidence and information and the ability for any authorised user to view from any screen and add notes enables real-time collaboration.

How is this security orchestration trend going to evolve?

The need for greater automation and intelligence in tackling cyber-threats is only going to increase. The volume of threats shows no signs of abating and attackers are always developing more sophisticated methods. Analyst Gartner warns that enterprises must adopt more intelligence-driven SOCs that go beyond preventative technologies in the era of detection and response. It says: "To support these required changes in information security programs, the traditional security ops centre ­must evolve to become the intelligence-driven SOC (ISOC) with automation and orchestration of processes being a key enabler."