Security orchestration, automation and response (SOAR) may have only emerged as an industry buzzword a little over a year ago, but the integration and automation that lie at its core have rapidly gained currency with CSOs whose roles increasingly involve unifying silos of security information and translating them into action.
That process of unification has been complicated by the preponderance of different, often incompatible security tools – which has been obstacles to improving the orchestration and automation of security responses, ThreatConnect director of security engineering Chris Adams told CSO Australia.
“Orchestration has been in IT for 30 years, but it’s only now making its way into security because security is growing up,” he explained, noting that internal competition for funding and strategic primacy had often sidelined security groups that didn’t have as strong a business case as their bottom line-focused peers.
“Security grew organically, and we have multiple systems that were never designed to talk to each other.”
Similar disconnects between organisational units had stifled attempts at cross-unit collaboration – creating friction for CSOs charged with building organisational security capabilities but struggling to elevate security into becoming a universal concern.
“We need continuity between these systems when it makes sense,” Adams said.
That lack of communication had also inhibited the effective automation of security responses – for example, building up a workflow that can be executed whenever a phishing email with malware attachment is received.
Such a workflow might, for example;, strip the attachment from the mail and ‘detonate’ it in a sandbox for analysis; call on a threat-intelligence service to get more information about the new threat; interrogate a SIEM system for other signs related to the activity; generate a service-desk ticket to ensure follow-up with the relevant employee; and lock down that system’s network account until they’ve engaged with IT.
This sort of workflow leans heavily on automation technologies, which in turn require seamless interoperability or integration between systems. Delivering on this challenge has become easier with the shift towards open APIs for integration and pushes to embrace DevSecOps methodologies – following, Adams noted, in the steps of application developers that have made similar steps in the past.
“These are all steps that general applications took in standard IT applications,” he said. “It’s only now that security is waking up and saying ‘we need to do this too’.”
The importance of centralising and consolidating threat response into a security operations centre (SOC) has fed the rapid surge of a market space that Gartner recently branded SOAR (security orchestration, automation, and response).
SOAR can be approached by prioritising either automation or workflow, and is fundamental to enabling automation in three mission-critical areas, Gartner has argued, including identity management, data protection and sharing, and development of new products and services.
Formalising a SOAR environment promises to help organisations develop and apply cybersecurity procedures that span business units and technologies – and this, Adams noted, also benefits organisations by helping them add security capabilities even when they don’t necessarily have enough trained security analysts.
“Many companies are just hiring people who know security, but there is no practice or understood methodology in the organisation to have it deal with incidents,” he explained.
“This is all about letting analysts become real analysts, and leveraging technology to give them a place to pick things apart and guide them through that process. It’s the strong uplift towards the capabilities that security teams are looking for.”