If you’ve spent time evaluating cyber incident response platforms (IRPs), you’ve undoubtedly felt the hype surrounding automation and orchestration.
And rightfully so. When applied correctly, automation and orchestration can drastically reduce incident response times and eliminate manual tasks—big pluses to over-worked, under-staffed SOC teams.
But the truth is that IRP vendors are increasingly using “automation and orchestration”—or similar terms like incident response automation, security automation, and security orchestration—as catch-all phrases for a wide variety of features and capabilities.
Their goal, unfortunately, is to obscure the true definitions and make comparing solutions difficult.
For analysts and incident response platform buyers, it’s more important than ever to understand what automation and orchestration mean, and how they translate into software features and benefits that can help your incident response function.
In this post, we’ll clearly define the meaning of both automation and orchestration. Then, we’ll describe three scenarios in which security automation and orchestration play an important role in the incident response process.
Automation means replacing manual tasks with machine-based automatic actions. This can take a variety of forms, requiring different levels of technical sophistication. In the context of incident response, automation is often used for:
The primary benefit of incident response automation is speed. Automation can accomplish time-consuming tasks much quicker than a human analyst, cutting down response time and allowing analysts to maximize attention given to the aspects of the process that require their expertise.
Another benefit is reducing the number of alerts an analyst sees by automating the management of low-risk events and likely false positives. Most security teams face an overwhelming volume of incidents, so automation is a useful way to let them focus on high-risk threats and important tasks.
The terms automation and orchestration are often used interchangeably, but they actually refer to different features of an Incident Response Platform.
Orchestration has a broader connotation, essentially covering the functionality that helps coordinate and organize incident response.
Rather than simple actions that can be automated, orchestration is used to eliminate workflow and reporting siloes, and empower analysts to make decisions when human input is necessary. Orchestration is critical in such situations to facilitate fast and decisive response.
Examples of orchestration include:
The most effective platforms are those that provide both automation and orchestration within a single, comprehensive incident response management solution. Automation for quickly completing tasks, and orchestration for supporting human decision-making, with enterprise-wide collaboration, workflow and reporting.
With too much weight on the former, a platform will be fast but rigid and limited in scope, only suitable for the security team’s management of low-level incidents. Too much emphasis on the latter and your response will move too slowly, requiring a large team of expensive analysts to gather contextual data and close out alerts, most of which end up being false positives.
Here are some examples of how balanced automation and orchestration can be used in common incident response scenarios:
An employee receives a phishing email and reports it to the SOC. The IRP can use automation to gather contextual data, such as URL reputation and domain reputation. If the URL is known to be malicious, the IRP can take the automated action to block it. Alternatively, the system could auto-generate a task for a specific team to assess the information and make the final decision to block the IP.
Your SIEM flags suspicious traffic leaving the network and escalates it to the IRP. The security analyst needs to determine whether the outbound traffic is malicious code communicating with a Command & Control (C2) server. The IRP can use automation to speed this process by looking up information on the destination IP, such as reputation, geolocation, and presence on blacklists. Based on this information, the analyst can notify the authorized team to block traffic to the domain at the firewall level.
A user’s privileges are escalated at 2:30AM. Because of the unusual timing, the escalation triggers a SIEM rule and becomes an incident in the IRP. An analyst can examine the change of privilege via Windows event logs, and use automation to query network traffic for suspicious outbound traffic from the user, or search their history across previous incident records. If the escalation appears to be unauthorized, the analyst can run a script to disable the user’s access.
D3’s Incident Response Platform brings automation and orchestration together, alongside other capabilities like case management and root cause resolution, in a truly comprehensive solution. Our unique approach to automation maximizes benefits while keeping key decisions in the expert hands of your analysts. To learn more about our growing suite of automation features, schedule a demo today.