Jun 2, 2022
Paul-Arthur
Jonville
"The future of SecOps part 2 – Security Orchestration" is part of a three articles series published by Mindflow to have a catch of what comes next in the cybersecurity world.
As we said here, modern-day Security Operations Centers (SOC) use between 20 and 50 tools, on average.
Indeed, as the company grows, the more tools it needs to ensure its safety. However, most of the time, most of these tools don't come from a single vendor. Even if big companies want to create bundles or all-in-one solutions, the diversity of issues requires you to afford pinpoint solutions and thus creates the need for security orchestration.
Still, as good as these pinpoint solutions are, there's a lack of awareness or communication with all your other tools. You end up having solutions that are not connected. It implies interoperability and efficacy deficits.
There comes the need for security orchestration to achieve a coherent architecture. Every tool has a greater understanding of its connections with other tools operating without constant retraining.
Pairing every feature and solution into one product annihilates your freedom of movement, attaching yourself to one solution, its vulnerabilities, and the will of its provider. Having the ability to choose the best of breed for each issue encountered and optimizing their interoperability, thanks to security orchestration, is the best way for the overall performance of your SOC.
Such an approach would ensure:
Security Orchestration to enable collaboration enterprise-wide
An increase in speed of SecOps
Nurture exhaustive visibility on your processes
Security Orchestration as a way to enhance performance
Security Orchestration to enable collaboration
Building a new and coherent security architecture starts with enabling collaboration of your current architecture, activities, and assets.
However, visibility is hard to maintain when ITOps and SecOps have developed multiple layers of security across the years. On top of that, without any platform to streamline the communication between assets, SecOps and ITOps were forced to design ad hoc integrations to establish connections, albeit non-optimal. Piling up to each other, these ad hoc integrations constitute a technical debt and obstacles for your current teams to keep up to date with the security posture with the threat environment.
Of course, most organizations are still running with some if not all of these in-house integrations. Nevertheless, it creates an overly complex architecture, where people aren't able to catch the whole thing from a single point of view.
Plus, the environment is moving at a fast pace. As we said numerous times on this blog, the cybersecurity field has to keep pace with the advent of cloud computing and remote work.
This new environment is pushing the traditional security perimeter further away. The new security perimeter is splattered across the planet, looking more like a mesh than your old-school castle, as employees can connect to your cloud workloads from pretty much anywhere. It creates new needs as alerts are on the one side multiplying but also coming from new places.
Cloud environments are dynamic. The boundaries between development, operations, and security teams are fading. SecOps teams need complete visibility in particular flows and into apps, infrastructure, and the network.
There is thus a need for a backbone, a platform that is agnostic to a specific environment where you can gather your different tools and create links between them and enable security orchestration.
Increase the speed of your SecOps
Working manually inevitably slows your pace. It's natural. As long as you're working with humans, you'll be working at human speed, not more.
If this way of working was still possible yesterday, it becomes increasingly difficult today. This isn't only about the growth of alerts. It's an important factor, for sure, but some other factors need to be considered.
For instance, attackers are starting to harness the advantages given by automation capabilities. A new zero-day exploit should be released, and attackers should perform automatic web mappings to find which machines are vulnerable.
This is what happened when the Microsoft Exchange Server exploit was released by researchers.
Even after gaining access inside your network, attackers can rely on basic scripts to fasten their move along the Kill Chain, especially when trying to escalate privileges. Using scripts, the attacker can divide by numerous folds the time needed to escalate privileges and move forward to other techniques.
You need to fasten the links between your different security layers to counter this. Having the best-in-class IAM solution isn't going to save you if you still need to mobilize your EDR to act on alerts manually.
Or else, manually parsing every suspicious email and then manually submitting details is time-intensive and doesn't bring substantial value to your work. On the exact opposite, when questioned about the quality of life at work, cyber professionals tend to point at these kinds of tasks as detrimental to them.
Finding a way to orchestrate the predetermined path of investigation for initial triaging, and thus automating it, is therefore saving a crucial amount of time and improving the quality of life at work.
Nurture exhaustive visibility of your processes
When planning to rationalize their information security solutions, you always try to go for a way to oversee the stack to be able to have visibility of the whole architecture, especially your incident response plans.
This way, you can cross-check threats and mitigations techniques in place to assess an overall readiness.
When talking about an incident response plan (IRP), you're speaking of the tools you will mobilize to detect and counter threats. Old schools IRP describe manual processes that cost time and resources.
However, affording a SOAR is of critical help when assessing your security posture. Most analysts combine the SOAR with well-known Kill Chain frameworks, such as the MITRE AT&CK to design adequate playbooks to ensure security on the targeted resource.
Such an approach gives you visibility on the processes in place but also the tools used. About security orchestration, it helps you constantly reassess security operations tools-stack structure and, if necessary, decide which tool is superfluous and should be taken out of the stack.
Security Orchestration as a way to enhance performance
Finally, about security orchestration, the SOAR also brings value when you take into account its unique ability, that is, to foster the utilization of your whole stack.
Now you're going to stop me and say, "how so? Mastering a SOAR is already a huge challenge. You want to use everything on it?!" If we were to talk about old SOARs, we would agree on this point.
However, new SOARs took the argument of complexity for granted. They shifted the focus to customer experience instead of looking to deliver expert products accessible only to experts.
Lowering the skill barrier to operating the SOAR enables more people to use it to create workflows. This is only by encouraging mass usage that you're going to start to have a glimpse at the potential that a SOAR can deliver.
To achieve this, a platform like Mindflow took the bet to provide a full no-code experience, focusing on delivering state-of-the-art UX/UI. Like any other tool, A SOAR needs to be pleasant to use. Your analyst will work every day on this. He wants to like what he's seeing and working on.
But to foster the usage of the SOAR, no-code, and top-notch UX/UI aren't sufficient. One of the most painstaking features, albeit unique ability, is the integration'. The more native integrations a SOAR offers and the more likely users will be keen on trying to use them. Still, most companies providing a SOAR haven't realized that they need to make this step easy and smooth.
Providing native integrations also allows Next-Gen SOAR to list and provide all actions available in an integrated service. Imagine having all actions at hand of a service like SentinelOne? You would need to query the name of your service, select the action you want, drag it, and drop it onto your workflow. Now we're talking about accessibility.
However, even though services are integrated, most SOARs still ask for configurations before being able to run the playbooks. This is where most SOAR suddenly becomes "low-code," which says, "have fun doing the same thing as before." An extra layer of understanding needs to be added to improve (or decrease, to be more precise) the level of semantics between the human and the machine.
By combining all of these approaches, we believe that the new SOARs are finally fulfilling the promises made by their elders: security orchestration made simple.
Only this way, you're going to develop your abilities on each of your tools and increase their usage.
The bottom line is that when you consider security orchestration, you need to think about creativity and make the best of what you have instead of just coping with your environment.
This way of enabling security orchestration is made possible with Mindflow.