After acquiring security orchestration firm Invotas in February of this year, FireEye has announced the first product resulting from the union of the two firms: the FireEye Security Orchestrator.
Announced today, FireEye Security Orchestrator’s purpose is to automate interaction between FireEye’s own product suite, and then to provide an open platform for automation and integration with third party products.
The Security Orchestrator will provide more efficient security by eliminating repetitive manual processes, reducing process errors, and automating the correct response between different security controls.
The Invotas website claims a 99% reduction in human errors, a 98% gain in efficiency, and a 40% reduction in risk exposure through its orchestration software. Although not specifically claiming the same figures for the FireEye Security Orchestrator, Paul Nguyen, CEO and Founder of Invotas – and now FireEye’s VP of Orchestration & Integration – told SecurityWeek that similar figures can be achieved for FireEye customers.
It will, of course, vary between customers depending on just how much automation they accept, and how much they retain on manual oversight. Nevertheless, FireEye’s SVP & CTO Grady Summers told SecurityWeek that a major side benefit is that members of the security team will be released from tedious manual work to spend more time on intruder hunting.
All of this will be realized by orchestrating FireEye’s own products and those of third-parties via the Orchestrator under ‘a single pane of glass’. For now these third-parties are mainstream vendors like Blue Coat and CyberArk; but Summers told SecurityWeek that he would welcome all vendors, including new small start-ups, to join the Cyber Security Coalition (CSC). FireEye will provide an SDK to make the integration possible.
Key to the efficiency and effectiveness gains will be the ‘Course of Action Workflows’ that will act as incident response playbooks. These define the required automatic response to different incidents. They will start by leveraging Mandiant’s incident response expertise, but customers will be able to develop their own. High level workbooks could be shared between different verticals, or between customers with similar product mixes.
As an example of a workflow, Summers confirmed that an incident detected by FireEye as a privilege escalation attempt could transmit to CyberArk as an instruction to change affected passwords. The detail and purpose of the response playbook, said Summers, is limited only by the imagination and requirement of the customer – and the desired extent of automation.
CyberArk’s Adam Bosnian, executive vice president, global business development, comments, “As a CSC partner and through integrations of our respective solutions, which incorporate privileged account security best practices and privileged activity data, we enable customers to better detect and respond to threats.”
Of course effective orchestrated incident response depends upon effective incident detection. Many threats first show themselves in email, and FireEye will be enhancing its Email Security within the next few months. This will include intelligence-led capabilities for detecting and blocking spear-phishing emails seeking to deliver malware such as ransomware or harvest credentials.
FireEye’s Network Security already includes new improvements to help monitor files for malicious activity and disturbing behavioral patterns. The Threat Analytics Platform will be enhanced with a new Guided Investigations feature designed to improve investigation capabilities and reduce response times. The intent is to automate investigation based on specific attack scenarios.
The Security Orchestrator will become available within the next month.
Related Reading: Suffocating Volume of Security Alerts Challenge Incident Response