The Top 5 Security Orchestration MythsClaudio Benavente Discusses the Misconceptions Around SOAR
Security orchestration, or SOAR - Security Orchestration, Automation and Response, as it is known to some - is still an area in development, so there are misconceptions about its scope of use and effectiveness for a SOC team.
Here are some myths we've come across - or are they really myths? You be the judge.
Security orchestration - also known as automation - will take my work.
Will the "securobots" take over SOC operations in the near future? Before you dig in your heels to keep robot lords out of your SOC, consider this fundamental principle: Not all threats are created equal. While some threats are not inherently sophisticated, they can overwhelm an organization because of their volume and scope.
Phishing attacks are an example. This use case lends itself to automation because the attack vector is unchanged and the triage and remediation process is repeatable. Automation would address end-user communications, triage, identification of malicious intent or false positives, quarantine and deletion of suspicious emails. This would drastically reduce the need for human involvement and take a lot of boring routines out of the daily workload of a human analyst.
Of course, some of the tasks performed by a Level 1 analyst can become obsolete, but due to the shortage of skilled security professionals, there is probably more than enough work for more skilled workers. And the ability to reorient security analysts to what they've been trained to do, such as hunting down threats, will help prevent burnout and staff turnover.
Every security process can - and should - be automated.
"Automate or die" might be a good marketing move, but not every security process or action can - or even should - be automated. Tasks will continue to be very sensitive to unattended automation and need to have manual approval processes built in. Even with the phishing use case mentioned, an organization can choose a balance between machine-driven automation and human decision-making. The decision to validate whether an email is malicious can be performed by a human, while the initial tasks and the final quarantine tasks can be automated.
That brings us to the second principle: Machines are better at routine and repetition. When it comes to alerts, false positives and duplicates consume a substantial amount of a SOC team's time. Automation can make up for those wasted hours. Many analysts spend time copying and pasting information between detection tools. As tickets generations and updates are one of the most repetitive and mindless tasks, it's the perfect place for automation to come in.
Security orchestration is just a fancy name for a SIEM.
At this point, you might be saying, "I have a security information and event management tool - or SIEM - that does the same thing." No, not really. Not everything that quacks is a duck. So while SIEM and security orchestration tools have some similarities in surface features such as action automation, product integrations and data correlation, it is incorrect to assume that one tool could do the job of the other.
There are two schools of thought here:
- Security orchestration tools are the same as SIEM tools: Although SIEMs deal with machine data collection, correlation and aggregation, current SIEM tools lack the ability to coordinate further alert enrichment and alert response. Likewise, security orchestration tools can coordinate and automate the response of multiple products to alerts but currently cannot detect these alerts in the first place. In this scenario, SIEM collects dispersed data and aggregates it into alerts, and security orchestration tools receive alerts and direct them to response.
- SIEMs will eventually include all the features of security orchestration tools: In the future, if SIEMs incorporate cross-manuals and response automations, they will still not be equivalent to security orchestration tools due to the relatively narrow detection focus of SIEMs. Security orchestration tools are set to be general process and response solutions for security and IT teams. They ingest alerts, which may come from SIEMs; vulnerabilities; emails; and cloud data; and correlate all these datasets before driving the automated solution.
Security orchestration and security automation are the same thing.
For those of us in the security industry, the terms have different connotations.
Security automation is making machines do task-oriented "human work." Security orchestration is about connecting different products and automating tasks across those products through workflows, in addition to enabling end-user oversight and interaction.
Security automation is a subset of security orchestration. Security orchestration involves combining people, processes and technology to improve an organization's security posture. Security automation is more focused on the technology" aspect alone.
Security orchestration is only for big companies.
There is likely an assumption that only large companies with well-defined SOCs and a wide variety of products will extract value from security orchestration. But with the 2021 Verizon Data Breach Investigations Report shows that the number of data breach victims in small businesses is very close to the number for large organizations, so the need for automated, repeatable incident responses is apparent, regardless of business size.
The most accurate criteria to consider regarding security orchestration is if your organization has to deal with a high volume of alerts and incidents and/or has a dynamic environment with constant changes. Under these conditions, even if you have a small SOC team with three to five security analysts and a handful of tools, you'll benefit from security orchestration through well-defined processes, increased staff productivity and SOC configuration for a possible scale.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Claudio Benavente is the associate partner of IBM Security Brazil. He has been acting as an adviser in the cybersecurity market, supporting clients' business processes and providing an end-to-end view of cybersecurity processes. He works on restructuring processes and improving operational efficiency and serves large corporate clients, communicating with CISOs, CIOs and CEOs. Benavente has more than 20 years of experience in IT and information security, having worked in the financial market at large banks, such as Itaú and Tokyo-Mitsubishi, and at large telecommunications companies, such as AT&T and Telefónica.