We Want Robots to Do

          (Part of) Our Job

Achieving Security Operations Efficiencies Through Security Automation and Orchestration (SAO)

We've all heard that the robots are coming. They are vacuuming, operating machines, taking fast food jobs and eliminating checkout clerks. However, in the field of cyber security, robots are late.

The job of an information security analyst today is rife with repetitive, sometimes mundane tasks that are performed based on the analyst's best practices. The operations team as a whole doesn't have it much better. Over the course of budget cycles, organizations have acquired new tools, new solutions and new platforms. Many are fully functional, some haven't yet been deployed and very few are integrated with the rest of the security infrastructure.

Security practitioners have lagged behind others in fields such as information technology in embracing integrated and automated operating environments. Aside from the manufacturing industry, the originator of integrated and automated workflows, the modern business environment began down the path of integration in the early 1990’s when the Object Management Group released the Common Object Request Broker Architecture (CORBA) standard.

This gave rise to several software companies that sold products to assist in codifying business processes and integrating systems throughout the environment. Outside of IBM, Oracle and SAP, think of the integration broker software companies IONA, SeeBeyond Technology and webMethods. Fast forward to 2014, Security Automation and Orchestration (SAO) companies Phantom and Hexadite were founded, with Demisto following close behind in 2015. Other players are quickly jumping in; Exabeam, known for their User and Entity Behavior Analytics (UEBA) platform, introduced an automation module last year.

It is easy to point towards information overload as the primary driver for security automation. Defense in depth is commonly practiced by organizations with mature and maturing security programs. This guiding principle is in place due to the fact that the controls present in a single security product do not completely cover the range of controls required by an organization to properly secure an environment or meet compliance requirements. Security solutions emit alerts and multiple security solutions create an abundance of those alerts.

Understaffed security operations teams suffering from information overload isn’t the only problem. The disparate collection of security solutions in enterprise environments provide alerts without context. Triaging these events involves several repetitive, low value tasks that grow exponentially with each new alert. Human error and oversight increases as the backlog of alerts pending triage grows.

Several solutions that attempt to address these problems have come to market.

Optiv's Partner Research and Strategy team chose to focus on solutions in which the primary function is the automation and orchestration of actions between disparate systems. Organizations will always have an increasing amount of data relative to staffing levels and department budgets.

In the E is for Efficiency white paper, Optiv and Momentum Cyber address increasing security operations efficiencies through SAO solutions and services. These will see increased demand as organizations continue to operationalize their security infrastructure through integrations. Security operations and incident response teams will utilize SAO to gain efficiencies over manual processes, to build consistent processes, and to maximize the value of the existing tool-base.

Automation and orchestration can connect disparate security solutions, and provide use cases that demonstrate the successful outcomes that are possible when security solutions are integrated. Once these gains have been realized, to maintain operational efficiencies, organizations should embrace continuous security validation.

SAO tools are rapidly being included into traditional SIEM/analytics feature sets. The benefits of implementing these tools can include threat prioritization, capability amplification, labor reduction, and consistent workflow. In fact, according to Momentum Cyber: Cybersecurity Snapshot, April 2018, by 2020, 15 percent of organizations with a security team larger than five people will leverage SAO tools, up from less than 1 percent today.

Key findings:

• Tackling alert fatigue - Optiv field research shows that after organizations have deployed a SAO tool, the security operations team is able to keep pace and even get ahead of triaging alerts, providing more time to focus on higher value tasks.
• Deploying automation isn't automated - Rolling out a SAO platform is a complex project that takes coordination between several teams because the platform is integrated with security and IT infrastructure. The deployment process provides participants with a deeper understanding of the configuration and capabilities of the security infrastructure, permitting the team to make incremental improvements with the existing tool base.
• Continuous security validation - When building playbooks for incident response, automation engineers need a rich data set that includes all types of alerts that can be emitted from the tools in the environment. Attack simulation tools can quickly and repeatedly trigger a range of event types to assist in playbook construction.
• The efficiencies gained cannot be ignored – SAO tools are one of the few tools an organization can add to their environment that will result in verifiable improvements in operating efficiencies. Based on the use cases performed during this evaluation, Optiv research shows that the time to triage an alert was reduced by an average of 96 percent.

For an in depth look at SAO and additional means to achieve a more efficient security operations team with automated analysis, triage and remediation, download our E is for Efficiency white paper, co-written with Momentum Cyber.