Meny Har is the VP of Product for Siemplify.
Benjamin Franklin famously advised the fire-threatened residents of Philadelphia, “An ounce of prevention is worth a pound of cure.” And while being proactive may have been effective for fire prevention, the approach does not translate into the impending threats of today’s world of cybersecurity. As any infosec pro knows, preventing every security event is impossible, so a strong incident response plan is paramount.
In its recent Quarterly Incident Response Threat Report (QIRTR), Carbon Black found that 59% of incident response (IR) professionals say the organizations they work with follow a reactive approach to IR. But when it comes to battling cyberthreats, the last thing you want is for your team to be on its heels.
In this post, we will take a look at how security orchestration can create the foundation and structure necessary for effective, efficient and proactive incident response.
What is Security Orchestration?
Simply put, security orchestration is the connection and integration of an ecosystem of cybersecurity technologies and processes. The majority of security operations centers (SOCs) have dozens of security tools to detect, investigate and remediate threats. Tightly integrating this ecosystem of tools – from endpoint detection, response and threat intelligence, to SIEM and vulnerability management – via a security orchestration solution creates repeatable and consistent response processes. Commonly referred to as playbooks, these guides provide security analysts with the necessary context to proactively identify, manage and remediate threats.
Good Incident Identification Begets Good Incident Response
Before your security team can respond to an incident, there needs to be a process in place to effectively identify real threats. The average SOC receives thousands of alerts per day, and seeing through the noise can be difficult. With security orchestration, your various security tools can derive critical context and only alert SOC teams when their attention is necessary.
As an example, you can use your EDR solution to help diagnose and triage incoming SIEM alerts through context that answers some key questions:
- What is the endpoint’s role in the organization?
- Where is it located?
- What are some of the key technical aspects?
- Is the sensor enabled?
- What is the OS?
- Is the host virtualized?
- Is the AV/EDR sensor enabled?
Through a security orchestration solution, this highly relevant data can be gathered automatically; enabling teams to assess the priority of an in incoming alerts, root out false positives and more effectively identify incidents that require a response.
Components of a Proactive Incident Response Plan
The QIRTR identifies six steps for taking a more proactive approach to incident response.
- Have an IR plan in place
- Communicate and notify
- Know your legal requirements
- Visibility is key
- Hunt quietly
- Regular checkups + multi-factor authentication
Security orchestration can act as a powerful catalyst to drive several of these steps forward – particularly the first four. A more proactive approach underpinned by security orchestration helps enable security teams to effectively drive down mean time to detect (MTTD) and mean time to respond (MTTR). Let’s take a look at how security orchestration, automation and incident response (SOAR) solutions can get you that much closer to taking a proactive IR approach.
Have an IR Plan in Place
For effective incident response – whether proactive or reactive – your entire security team needs to know what steps to take and when to take them. This means having an articulated, documented plan that is periodically tested through simulations to gauge effectiveness and identify opportunities for improvement.
One of the key benefits offered by security orchestration solutions is the ability to codify your IR plans into consistent, traceable playbooks. This eliminates the reliance on tribal knowledge and allows for the use of automation – where applicable. Security incidents are stressful for SOC teams and can cause people to panic and subsequently make errors. Playbooks provide security teams with a single source of truth to turn to in this high-pressure environment.
SOAR solutions can also act as a training platform and test bed to run simulations and evaluate your processes before encountering a live incident.
Communicate and Notify
Informing the right stakeholders and bringing relevant parties to the table quickly is a necessity during incident response. Many security orchestration solutions can act as a central workbench for security operations and incident response teams. This provides a comprehensive platform that includes the auditing and traceability functions proactive incident response demands. This is coupled with the flexibility and ease of collaboration needed to contain incidents, coordinate a team and allocate resources.
As a bonus, some solutions have dedicated “war rooms” that can include stakeholders outside of the SOC – like legal, HR and corporate communications – so the incident can be responded to collaboratively.
Know Your Legal Requirements
GDPR, state-specific guidelines and compliance regulations add layers of complexity for security operations organizations. Building the necessary reports to satisfy these requirements can be time-consuming, and take analyst resources away from the vital work of investigating and triaging subsequent threats.
Because security orchestration gives your team a complete picture of an incident, it can also help your team complete the postmortem and reporting necessary to satisfy legal requirements. Several solutions offer automated reporting capabilities that provide a snapshot of the security incident itself, as well as the remediation steps taken via the associated playbooks.
And, because of the powerful collaboration capabilities mentioned earlier, it is easy to provide your legal and GRC constituencies live visibility of an incident in real-time and receive their inputs to influence and inform decision making in a consistent and audit-able way.
Visibility Is Key
IT environments are notoriously complex, and many organizations do not have a good map of all the assets they manage and secure. Security orchestration serves an important unification function across your ecosystem. Clear visibility is the key to understanding the context behind high priority alerts and incidents.
Security orchestration solutions provide visibility into:
- Context for your assets, user accounts, IOT devices and more
- Past occurrences that can inform the current alerts being processed
- Other alerts that may have relevance to the one currently under investigation
- Clear intelligence to understand bigger-picture indicators as well as external context
Bringing these pieces together to paint a clear picture ensures that the security team has all the information needed to perform deeper level analysis and determine the best course of action decisively and quickly.
Possibly one of the most appropriate adages for security operations and incident response teams is “if you fail to prepare, you prepare to fail.”
For more on security orchestration, playbooks and proactive incident response visit www.siemplify.co.