Security Orchestration Made Simple

1
Security Orchestration Made Simple

• Effective Implementation Processes

2
Profile of time resources of a typical SOC
3
Introduction
The challenges faced by a security operations
center (SOC) are many and well-documented the
workload is tremendous, while the workforce is
limited, strained, and ill-equipped to handle the
influx of alerts that constantly bombard their
desktops.
4
Security Operations Centers
Often, the biggest problem facing Security
Operations Centers is not an inability to detect
security threats, but rather the methods in which
security teams address those threats. With their
reliance on manual processes and disconnected
point solutions, security analysts are
overwhelmed by the plethora of alerts they are
expected to triage (both in number and nature of
those alerts).
5
Security Orchestration Solution
Security orchestration bridges the gap between
alert overload and analyst capacity. Executed
effectively, an orchestration platform creates
the integrated fabric across the security
footprint bringing simplicity, context, and
efficiency throughout security operations and
incident response.
6
Building Blocks of Effective Security
Orchestration
7
Effective Security Orchestration
Effective security automation and orchestration
requires a tightly coupled platform that provides
robust capabilities across a multitude of
components, each with distinct but important
capabilities. At the end of the day, the
effectiveness of orchestration is only as strong
as the weakest link. With a set of isolated
security processes, the entire system can be
weighed down if even just one part is weak or
unreliable.
8
Context/Enrichment
Security orchestration is built upon a
comprehensive process from detection through
response. To be effective, this process must be
built on context. The underpinning of this relies
on enrichment, clustering, and contextualization
leading to prioritized cases fully enriched to
enable rapid triage.
9
Security Operations Customer Survey
10
Workflow
Defined playbooks span the entire security
operations landscape. With so much of the
response process residing solely in the minds and
personal preference of individual analysts, the
need to define, document, standardize and execute
workflows to drive consistency is essential.
11
Automation
Security Automation refers to the process of
executing IR workflow without human intervention.
The list of individual processes that can be
automated is growing. And effective automation
simplifies routine tasks to execute them with far
more efficiency. Yet, even the most advanced
automation systems filter only a percentage of
security alerts that register on a companys
network.
12
Case Management
Effective case management provides visibility on
the status of all types of cases and ensure that
critical cases are not overlooked. It also allows
security cases to interlock with broader IT and
operational needs within the company.
13
Visualization
Many triage and determination decisions require
human intervention. Properly armed analysts
should be able to assess the severity of a case
in seconds. Through a graph structure and
representation, analysts are able to visualize
the entire threat storyline to accelerate
decision making, escalation, and investigation
where needed.
14
KPI / Business Intelligence
It is important to manage the complete security
operations ergo you need to measure the
performance of people, process, and technologies.
Analysts and SOC management must have visibility
to critical KPIs, where resources are spent and
access to data-driven dashboards to measure
critical data points throughout Security
Operations.
15
Conclusion
Effective Security Orchestration needs to
encompass security operations processes from end
to end gathering data from multiple security
controls, consolidating the relevant data for
security analysts to make the appropriate
determination of the case with necessary context,
executing the incident response flow with
appropriate automation and/or human intervention,
and ongoing visibility and situational awareness.