Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Security Orchestration: Beware of the Hidden Financial Costs

Among the many improvements in cybersecurity technology and tools we’ve seen over the last few years, one of the most significant has been the inclusion of security automation and orchestration capabilities in solution categories beyond SOAR platforms. SIEM providers acquired stand-alone SOAR platforms, and endpoint detection and response (EDR) solutions broadened to include automation and orchestration capabilities to accelerate threat detection and response.

Among the many improvements in cybersecurity technology and tools we’ve seen over the last few years, one of the most significant has been the inclusion of security automation and orchestration capabilities in solution categories beyond SOAR platforms. SIEM providers acquired stand-alone SOAR platforms, and endpoint detection and response (EDR) solutions broadened to include automation and orchestration capabilities to accelerate threat detection and response. So, what’s next? 

Previously, I focused on the evolution of automation from a process-driven to a data-driven approach to unlock even greater efficiencies and effectiveness. Here, we’ll take a closer look at how orchestration is evolving and delivering additional benefits.

First a little level-setting. We tend to talk about orchestration and automation at the same time and use the terms interchangeably, but they are quite different. Automation is about making steps (e.g., looking up a domain or blocking a port) happen faster to increase security operations efficiency. Whereas orchestration is about getting multiple systems in the Security Operations Center (SOC) to work together so you can detect, remediate and respond across the infrastructure. 

Integration provides the plumbing

With that definition, the first thing that comes to mind when you think about orchestration is integration so that disparate systems can talk to each other despite using different languages and formats. Most organizations have a complex security infrastructure, cloud-based and on-premises, that consists of multiple products from multiple vendors to create layers of defense, including firewalls, IPS/IDS, routers, web and email security, and endpoint detection and response (EDR) solutions. They have SIEMs and other tools that house internal threat and event data – ticketing systems, log management repositories, case management systems – and a range of external threat intelligence feeds and sources. A platform with an open, extensible architecture allows for strong integration and interoperability with your existing tools and new security controls to address emerging threats, providing a flexible path forward for orchestration. 

Data-driven enables better decisions

However, as more security teams go down the path of automation and integration, another important aspect emerges—the financial consequences based on how some of the tools you connect to are licensed. The more data you send to certain systems, the more charges you may incur based on the amount of storage used. And some of the services you use may have a “pay by the drink” model. You may have a limited daily capacity of look-ups, and each look-up is subtracted from the total allowed. Once you exceed that limit, additional fees are imposed. If you are driving automation and orchestration with a process-driven approach, with no regard to the data being processed, actions are taken based on events that aren’t high priority or even relevant. Few security teams think about the financial impact of storing unnecessary data or constantly querying their systems with no sound basis for doing so. 

The best way to make better decisions so that you avoid these unintended financial consequences is to trigger automation and orchestration only on relevant things. How do you do that? 

Advertisement. Scroll to continue reading.

A data-driven approach, where you contextualize first to make sure any action you are automating has value, can ensure you are consuming license capacity on events that actually matter. With a platform that aggregates, normalizes and correlates internal and external data, you can tap into the richness of all available data to get a complete picture of what is going on. This includes contextualizing data with additional intelligence, such as internal observations of network activity and file behavior. Now you can pivot to external data sources to learn more about campaigns, adversaries and their tactics, techniques and procedures (TTPs), with confidence that when you look for associated artifacts in other tools across the enterprise, you aren’t sending out irrelevant requests or consuming unnecessary storage.

With the scope of malicious activity and all impacted systems identified and confirmed, you can orchestrate a comprehensive and coordinated response. You can perform the right actions across multiple systems and send associated data out to the right tools across your defensive grid immediately and automatically to accelerate response. Blocking threats, updating policies and addressing vulnerabilities happens faster. A data-driven approach also leverages bi-directional integration to send data from the response back to a central repository for learning and improvement.

There’s a lot of value in getting systems to work together, but don’t overlook the clear connection to your wallet when you automate and orchestrate workflows across different systems. A data-driven approach to orchestration helps you make the right decisions and take the right actions faster, with the additional value of reducing the impact on your budget.

Learn More at SecurityWeek’s Security Operations (Virtual) Summit 

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.