It’s one thing to have a plan for security orchestration, but it’s another to get it up and running and use it to its full potential.
At this point, most security professionals know that orchestration and automation are a “need to have,” not a “nice to have,” but to fully leverage security orchestration, there are a few considerations that will help you get the most out of your new workflows. Using the "people, process, and technology" model, let's break down the effective components of security orchestration to ensure success in your organization.
Security orchestration is about connecting tools so that workflows can execute automatically. Naturally, you need a good technology foundation in place to fully leverage orchestration, and ultimately, automation.
A Mature (or Maturing) Technology Foundation
First, you should have most, if not all, of the following tools in place:
- Intrusion detection system (IDS)
- Team-wide communication channels (e.g. Slack)
- Threat intelligence feeds
- Malware analysis
These are the most common tools security teams use on a daily basis, and by orchestrating them, they can deliver to you the data you need to inform effective and appropriate responses to incidents.
Open and Robust APIs that Enable Tools to Connect
Secondly, these tools need to have open APIs that allow them to connect to one another, and provide the right access to the necessary data needed to complete complex workflows.Thankfully, most modern or web-based tools have open APIs.
However, if you’re still leveraging legacy systems or perhaps have built something in-house that doesn’t connect well with other tools yet, you won’t be able to easily implement it into your workflows. So when you’re choosing security tools, prioritize openness and connectivity to guarantee they will be easier to orchestrate effectively.
Simplified Method to Add or Build Integrations
Now, with the right tools on deck—ones that are able to connect with others—you can begin implementing integrations; either using a library of pre-built integrations or by building them yourself. Utilizing APIs, integrations allow your tools to hook into each other, share data, and execute workflows.
Integrations can be tricky to build in-house unless you have dedicated resources to do so, which is why many companies leverage platforms like Komand that offer hundreds of pre-built integrations so that they can instantly connect their tools and begin orchestrating.
And in the event that an integration does not exist in a library, security orchestration products should ideally enable developers to easily build integrations via easy tooling and robust SDKs.
Process is what binds technology and people together. If you plan on implementing _effective _security orchestration, processes need to be efficient and effective, as well.
Optimized Processes for Orchestration
As we’ve explained before, the processes that can benefit the most from orchestration are:
These processes often include:
- Data enrichment
- Phishing investigations
- Malware containment
- Vulnerability assessments
- And more
These processes are good candidates for security orchestration because they’re repeatable enough that automation can handle them. This is a win-win, because it means you can level-up your team’s focus and better utilize their expertise.
Clearly Defined Processes
Once you know which processes you need to orchestrate, it’s important that they are well-defined and easy to follow. This will make them easy to build out in your orchestration tool. If you need some help better defining your processes, be sure to grab our free guide on how to create effective processes.
Human and Machine Collaboration
You may find that some of your processes require a mix of human and automated inputs, and this is okay. In fact, there are many scenarios where this is ideal. When dealing with credential containment, for example, you may have a step or two in the process that requires a security analyst to perform deeper forensics, follow up with affected team members, and, ultimately, help to resolve the issue.
Determining where automation comes in (e.g. alerting, notification, gathering data), and where humans do (forensics and response) within each process will make them go smoothly once security orchestration takes the reins. For processes where humans are still required to some degree, be sure they’re well-trained on the processes and understand how they can best insert themselves into them.
People are the most important asset in a security organization. With regards to security orchestration, you'll need the right people in place in to utilize and manage it.
A Designated Point Person
You will need a point-person on your team to build out and maintain an effective orchestration infrastructure — whether it’s a single person managing this, or managing a team to perform these tasks. Who this person is will depend on your organizational structure, but often we see roles such as Director of Security or IT Operations Manager at the helm of these initiatives.
Whomever you choose, they should be charged with ensuring all current and future processes that are repeatable and routine are orchestrated so that your team’s time is continuously optimized. This person should also be focused on ensuring that all new tools, processes, and people are leveraging security orchestration and automation, especially as the security organization scales.
If you’ve chosen to build custom orchestration yourself, internal resources will be even more necessary to you. A point person will need to ensure integrations are built properly, functioning well over time, and adapting to your organization's ongoing needs. If you buy a security orchestration platform, you won’t need as many resources to manage it since it will handle the bulk of this work for you.
By keeping you on top of current security best practices, your only job is ensuring you’re maximizing the people, technology, and processes who are looped into your orchestration setup.
Buy-In from IT Operations
There are other stakeholders within your organization you may need to bring into the picture to succeed with security orchestration. Who these people are depends in part on whether you’ve built or bought orchestration.
If you’re building it in-house, you’ll need IT operations buy-in to help build and maintain the infrastructure. Having this conversation early can help ensure resources are available when needed, and that the security orchestration initiative is prioritized.
Involvement from Complementary Teams
You may also need to get buy-in from other areas of the organization if there are processes that overlap with security, especially considering who owns what infrastructure and resources.
For example, if one department in your company has high-turnover for one reason or another, you will need to work with that team lead on orchestrating and automating user provisioning and deprovisioning to ensure user access is under control.
Or, let’s say your security team needs access to certain sensitive systems that may trigger an alert and workflow, but the systems are owned by the IT operations or DevOps team. In that case, you'll need to get these teams involved in the implementation of the new security orchestration architecture. You'll also need to keep them in the loop of specific processes that may affect their day-to-day workflows, as well.
Optimizing Security Orchestration for Effectiveness
With the right people, processes, and technologies in place, you can ensure you’re getting the most out of security orchestration. Most companies know when they’ve reached a tipping point and are ready for security orchestration and security automation. Namely, it’s when:
- Tasks and threats slip between the cracks
- Employees feel the effects of alert fatigue and become burnt out
- The security organization has gone from proactive to reactive and is drowning in alerts and tedious tasks
The best way to implement security orchestration is to do so when your organization is truly ready, and when you can get up and running fast without putting a drain on your team’s resources. That last part is key.