What’s next in the evolution of security automation and orchestration?
Over the past 20 years we’ve seen significant improvements in cybersecurity technology and tools. For example, new versions of intrusion prevention systems and firewalls were introduced using terminology like “next-generation”, which I’m not a fan of because it borders on hype. (What is after next-generation? Next-next? But I digress…) Regardless, ultimately, important revisions and upgrades were made that helped security teams improve threat detection and prevention.
Unique capabilities also emerged like automation and orchestration that became the focus of new categories like security orchestration, automation and response (SOAR) platforms which quickly proved their value by improving the throughput of analyst work. As SOAR platforms grew in popularity, vendors of related cybersecurity product categories began to envision how automation and orchestration could also be applied to their area of focus. Soon, a technology that began as a unique capability of SOAR, evolved to become a core feature in many other categories. SIEM providers acquired stand-alone SOAR platforms, and endpoint detection and response (EDR) and extended detection and response (XDR) solutions broadened to include automation and orchestration capabilities. What’s next in the evolution of automation and orchestration?
U.S. Supreme Court Judge Louis D. Brandeis once said, “There are no shortcuts to evolution.” We see that his pioneering ideas and principles on free speech, privacy, government intrusion and democracy changed American society and law at the time and continue to shape legal decisions and regulations decades later. And we see parallels with the evolution of automation and orchestration. SOAR was an important step forward in the adoption of automation and orchestration. Now, as these capabilities fragment and find their way into other cybersecurity tools, their applications and usage will evolve for even greater, ongoing impact. Let’s take a closer look at how this plays out with automation, and we’ll look at orchestration in a future article.
SOAR was off to a great start, touting the ability to increase security operations efficiency and consistency by automatically running a playbook in reaction to an incident or issue without the need for human intervention. However, as organizations began using SOAR, they encountered three main challenges:
1. In order for playbooks to run, processes need to be defined, created and maintained. Engineering work is also required to customize playbooks and standardize implementation. Many companies found SOAR was not an immediate fix to streamline security operations. Humans needs to be involved as these efforts to put automation in place can be onerous.
2. The current approach to security automation has focused on automating processes, with no regard to the data being processed. This approach works fine if you’re in a static environment doing the same thing over and over again. But in detection and response, which is dynamic and variable, that’s not the case. Playbooks are run regardless of the relevance or priority of data. If you put noisy data in, the result will be amplified noise out.
3. Process-focused playbooks are inherently inefficient and complex because the decision-making criteria and logic are built into the playbooks and updates need to be made in each playbook. This complexity grows exponentially as you increase the number of playbooks.
…evolving to data-driven
As automation continues to evolve, a new approach to accelerate detection and response is emerging based on data and business logic to automatically trigger simple actions that can be standalone or be chained together. Instead of an entire process driving automation, a data-driven approach defines the criteria for the automation and how it is executed for greater focus, accuracy and agility. Security teams can determine what action to take based on data priority and relevance to their organization. Actions can be fine-tuned in response to what matters to the organization and what is effective against the latest threat. And because automation is based on data, you can also apply the outputs from detection and response as inputs for learning and improvement. If data changes and certain thresholds are hit, additional actions can be set to run automatically.
Indeed, “there are no shortcuts to evolution” – and that’s a good thing. Because it is the process of evolution itself that provides opportunity for dramatic improvements. Approaching automation from a process standpoint was understandable and helped many organizations overcome a long-standing reluctance to automate, but it has limitations. In a highly dynamic and fluid environment, a data-driven approach to accelerate detection and response will unlock more value from automation so that security operations teams can take the right actions faster.