Security Automation and Orchestration: An Analyst Perspective

Security Automation and Orchestration (SAO) Platforms are the newest players in the security landscape focusing on easing the burden of alert-fatigue. Working as a lead in a Managed Services Security Operations Center (SOC), solutions that claim to automate actions, lower time-to-response, and minimize required headcount peak my interest.

SAOs operate by implementing logical decision trees as “Playbooks” to automatically gather applicable information surrounding security events.  Additionally, most solutions also provide a self-contained collaboration platform for a team of analysts to share investigation ideas, results, and next steps.  These two features are core tenants SAO platforms; however, there are a few differences that make some standout from the rapidly forming crowd.

Who benefits from SAO?

SAOs are a good investment for IT teams with multiple security products and that find themselves spending too much time investigating the same alert types. Teams using portfolio based solutions with existing integrations will likely spend more time learning and maintaining an SAO than gaining any operational leverage from the product. Additionally, if your team lacks dedicated security, an SAO facilitates a level of automation that may offset the headcount requirement for an investigation, though you may also consider an MSSP in this scenario.

Playbook and Collaboration FAQs

When considering an SAO, there are a few questions to ask  Playbooks and Collaboration to determine the correct solution fit:

Playbooks

• Is the Playbook structure able to produce different results based on where the information terminates?
  • Playbooks shouldn’t be required for every exception, and building dozens of small playbooks would diminish the value of the solution. Flexibility to bring alerts in at different places in a larger playbook lessens the complexity of the solution’s implementation.
• Are the logic pieces modular?
  • The ability to use the same playbooks inside of other playbooks saves time that analysts may otherwise spend duplicating work effort for something they’ve already created. Machines should repeat tasks, not people.
• Can components be customized without a strong coding background?
  • Some tools allow for nearly endless customization, but require a solid coding background to fully implement changes.  Coding is easier to some than others, and bad code can create more problems than solutions.
• Is the layout easy to follow even as it grows and changes?
  • Consider the workflow of the tool and how it is visually represented. If the flow is unclear or the visuals create confusion, then using the tool will require a greater time investment in day-to-day operations.

Without these components, these products can require so much dedicated effort to maintain that any time saved investigating transfers to time maintaining the new tool.  Headcount is expensive; buy-in for a product is much more expensive if an analyst, and all their investigation training and experience, is lost just to manage it.

Collaboration

• Is this just another e-mail?
  • IT personnel, and most supervisors, in general, are already inundated with e-mails.  Another inbox to check doesn’t make things easier.
• How easy is it to share the information Analysts collect with the team?
  • If someone on the team takes the time to find or explain something once for an IR case, that information should be easily accessible to everyone involved.  Where one person has a question, at least one other will too.
• How does the investigation information link with the security alerts?
  • Each click spent trying to reference information in one place and share findings somewhere else is time that could be spent investigating another alert. Information should be quickly imported into an investigation for review in a single place.

The Bottom Line

There are currently multiple SAO choices; each aiming to provide automated investigation for teams that prefer to explore their own security alerts instead of utilizing an MSSP. Each tool addresses playbook efficacy and collaboration in different ways and at different price-points. Asking these questions throughout the evaluation process will help determine which SAO tool, if any, is right for an organization.