For many companies, the concept of security orchestration is still relatively new. Security operations teams are scrambling to find a way to keep up with the troves of alerts, threats, and issues, and wondering if security orchestration is really going to solve it all.
Naturally, we hear all sorts of misconceptions about security orchestration — some that couldn’t be further from the truth. In this post, we’ll lay to rest some well-worn myths so that you can separate signal from noise and decide if orchestration is right for your organization.
Myth #1: Orchestration = Automation
While many believe security orchestration and security automation are interchangeable, that isn’t exactly true. To benefit from automation, you first need orchestration, so they should be used in succession. Security orchestration enables you to connect tools together and specify the tasks they need to execute. Once that is set in place, automation takes the reins and executes those tasks end-to-end, from tool-to-tool.
While many mistakenly think they can jump right into automation, it’s the orchestration layer that needs to be in place first to truly reap the benefits of automation. Combined, orchestration and automation make a powerful solution, and are greater than the sum of their parts.
Myth #2: Orchestration means no humans need to be involved
While orchestration can take care of the bulk of repetitive, manual work, humans still need to be involved. In fact, working alongside orchestration, humans can get more done, and faster. While tedious tasks within phishing investigations, user provisioning and deprovisioning, and data enrichment are better suited for machines, strategic tasks like forensics, decision-making, and responding to threats are better suited for humans.
By bringing in security orchestration, your team can level-up its focus to the more strategic work while machines take care of the rest. Not only will this give your team more meaningful work to do, but it will optimize the efficiency of your security operations, and help you get more ROI out of your entire security organization, including your people, processes, and tools.
Myth #3: Orchestration is a one-size fits-all concept
No two organizations operate the same, or leverage the same processes and tools. This is why the security orchestration platform you choose should be customizable and flexible. Most orchestration solutions are easily customizable to your exact use case.
Komand, for example, has a library of more than 130 plugins and a robust visual workflow builder, allowing companies to hook together any combination of tools and then automate processes among them. In this way, security orchestration can be customized to your organization, not generic and unhelpful.
You should also be sure your security orchestration platform allows you to add custom-built integrations, should you need them. While the purpose of orchestration is to take the need to code out of the security equation, you should have the capability to build custom elements if needed, and platforms like Komand allow you to do both.
Myth #4: Orchestration is limited in capability
Security orchestration is only limited by the state of your security operations. As we explain in this post, there are three things you first need to have in order to fully leverage orchestration:
- A team that can benefit from orchestration (more on building your team here)
- Tools that can be orchestrated (more on choosing the right tools here)
- Well-defined processes (more on how to define processes here)
With the fundamental pieces of your security organization in place, you’re primed to benefit from all that orchestration offers. On the other hand, if you implement orchestration before you’ve built a well-oiled operations machine, the value you get out of it will be limited.
With the right tools in place, clearly defined and repeatable processes, and a team that is eager to focus less on the tedious tasks, the benefits of security orchestration should be boundless.
Myth #5: The only way to get effective security orchestration is by building it
Similar to the one-size-fits-all myth, we often hear companies say the only way they’ll be able to leverage orchestration is by building it themselves, and in their language or framework of choice (e.g. Python, Powershell, etc.). While this approach has some merits, it often:
- Is difficult to get started (hard to get development resources)
- Doesn’t work well (not enough security expertise in-house to build and maintain it properly)
- Has a negative ROI (takes far longer than expected and costs way more than estimated)
The whole reason why security orchestration platforms exist is to help teams build orchestration with minimal code, and as fast as possible. Most security teams don’t know how to code, nor have regular access to development resources, so building it themselves isn’t always a feasible solution. Using a security orchestration platform, you can get up and running with little to no coding required.
The Bottom Line
Since it's a relatively new concept, naturally the idea of security orchestration can bring with it some skepticism, doubt, and misunderstanding. But, done right, security orchestration is simply an extension of what security teams have been trying to do all along — gather relevant and contextual information to make better and faster decisions.
If you're evaluating security orchestration, consider the ROI as a strong measure of success. We've got a free white paper on how to calculate your ROI here. Download here.