Question

When looking at any security team, one thing you might notice is that there is a tool for everything. And we do mean everything: ticketing, threat intelligence, security investigations, malware analysis, detection, incident response, advanced persistent threats, security monitoring the list goes on.

Every organization wants the best of the best to build their defenses. This can often leave their security teams and security operations centers with a tool stack of uncooperative solutions that don’t communicate with one another, with their full value remaining untapped, and they can interrupt or even cancel each other out. The team becomes paralyzed by the sheer number of alerts generated by these solutions, losing time that could be spent on contextualized investigation and response.

We often cite alert fatigue as a common challenge in SOCs, and with good reason. Nobody likes alerts, because whether it’s a fire alarm, car alarm, or alarm for any other kind of emergency, it signals to us that a real threat is present. But after hearing alerts time and time again, all we hear is the boy who cried wolf. We downplay these alerts because we’ve spent so much of our precious time combing through them, only to reveal themselves as fake. In SOC terms, this leads to real threats being missed, often to devastating consequences.

There is a solution. That solution is connecting the tools that security teams run, to communicate with each other and do away with the tedious, time-consuming tasks that have a high potential for human error. Streamlining the process with which tools are used helps to keep security professionals from losing any of their precious time.

1. What is security orchestration?
2. What can we use security orchestration for?
3. What are the benefits of security orchestration?
4. What are the key elements that are needed for SOAR to perform as desired?
5. What is Automated response and how does it work, can you give an example?

Answer 1

What is Security Orchestration?

Security orchestration is a way of joining and connecting all disconnected security teams and methods into a more pipelined and streamlined approach. This method prevents overload of security teams by the number of alerts generated by all these disconnected solutions, and allows for a better and more co-operative approach.

What can we use Security Orchestration for?

In a Security Operations Center (SOC), efficiency and dismissing fake alerts/threats generated by the security mechanisms in place are critical. For this, we need the in-place security mechanisms to work hand in hand, so that we can squeeze the maximum value out of them.

Security Orchestration is used as the glue between all the processes and mechanisms in the SOC to provide for a continuous and refined approach, while reporting the most important and harmful threats. This releases the pressure of fake threats and reduces the time to remediate actual and more harmful threats.

What are the benefits of Security Orchestration?

There are many benefits of Security Orchestration. Some of them are:

• Reduce false alarms and false alerts
• Provide for a refined and pipelined approach for enforcing security
• Reduce time on less critical threats
• Focus on the major alerts and harmful threats

What are the key elements that are needed for SOAR to perform as desired?

SOAR stands for Security Orchestration, Automation and Response. For it to perform as desired, its individual components should be effective. Key elements for it to perform as desired:

• Security Orchestration must work well. The inplace security mechanisms must work fluidly with each other to maximize efficiency, minimize fake alerts & threats and must support remediation of the threats alerted.
• Security Mechanism must be Automated well. All the tasks that are redundant and are performed manually otherwise must be automated efficiently, so that the Security Man Power can focus on the tasks that require manual intervention and thinking. The Automated mechanisms must provide for report generation, default policy execution and streamlined workflow.
• Response to an incident must be planned out thoroughly as well. It involved analyzing the initial data of the incident, taking care of the issue and making sure that counter-measures are placed accordingly so that the same incident does not occur again.