Security Experts:

Security Orchestration: Beware of the Hidden Financial Costs

Among the many improvements in cybersecurity technology and tools we’ve seen over the last few years, one of the most significant has been the inclusion of security automation and orchestration capabilities in solution categories beyond SOAR platforms. SIEM providers acquired stand-alone SOAR platforms, and endpoint detection and response (EDR) solutions broadened to include automation and orchestration capabilities to accelerate threat detection and response. So, what’s next? 

Previously, I focused on the evolution of automation from a process-driven to a data-driven approach to unlock even greater efficiencies and effectiveness. Here, we’ll take a closer look at how orchestration is evolving and delivering additional benefits.

First a little level-setting. We tend to talk about orchestration and automation at the same time and use the terms interchangeably, but they are quite different. Automation is about making steps (e.g., looking up a domain or blocking a port) happen faster to increase security operations efficiency. Whereas orchestration is about getting multiple systems in the Security Operations Center (SOC) to work together so you can detect, remediate and respond across the infrastructure. 

Integration provides the plumbing

With that definition, the first thing that comes to mind when you think about orchestration is integration so that disparate systems can talk to each other despite using different languages and formats. Most organizations have a complex security infrastructure, cloud-based and on-premises, that consists of multiple products from multiple vendors to create layers of defense, including firewalls, IPS/IDS, routers, web and email security, and endpoint detection and response (EDR) solutions. They have SIEMs and other tools that house internal threat and event data – ticketing systems, log management repositories, case management systems – and a range of external threat intelligence feeds and sources. A platform with an open, extensible architecture allows for strong integration and interoperability with your existing tools and new security controls to address emerging threats, providing a flexible path forward for orchestration. 

Data-driven enables better decisions

However, as more security teams go down the path of automation and integration, another important aspect emerges—the financial consequences based on how some of the tools you connect to are licensed. The more data you send to certain systems, the more charges you may incur based on the amount of storage used. And some of the services you use may have a “pay by the drink” model. You may have a limited daily capacity of look-ups, and each look-up is subtracted from the total allowed. Once you exceed that limit, additional fees are imposed. If you are driving automation and orchestration with a process-driven approach, with no regard to the data being processed, actions are taken based on events that aren’t high priority or even relevant. Few security teams think about the financial impact of storing unnecessary data or constantly querying their systems with no sound basis for doing so. 

The best way to make better decisions so that you avoid these unintended financial consequences is to trigger automation and orchestration only on relevant things. How do you do that? 

A data-driven approach, where you contextualize first to make sure any action you are automating has value, can ensure you are consuming license capacity on events that actually matter. With a platform that aggregates, normalizes and correlates internal and external data, you can tap into the richness of all available data to get a complete picture of what is going on. This includes contextualizing data with additional intelligence, such as internal observations of network activity and file behavior. Now you can pivot to external data sources to learn more about campaigns, adversaries and their tactics, techniques and procedures (TTPs), with confidence that when you look for associated artifacts in other tools across the enterprise, you aren’t sending out irrelevant requests or consuming unnecessary storage.

With the scope of malicious activity and all impacted systems identified and confirmed, you can orchestrate a comprehensive and coordinated response. You can perform the right actions across multiple systems and send associated data out to the right tools across your defensive grid immediately and automatically to accelerate response. Blocking threats, updating policies and addressing vulnerabilities happens faster. A data-driven approach also leverages bi-directional integration to send data from the response back to a central repository for learning and improvement.

There’s a lot of value in getting systems to work together, but don’t overlook the clear connection to your wallet when you automate and orchestrate workflows across different systems. A data-driven approach to orchestration helps you make the right decisions and take the right actions faster, with the additional value of reducing the impact on your budget.

Learn More at SecurityWeek's Security Operations (Virtual) Summit 

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.