Last updated at Thu, 11 Jan 2018 15:57:09 GMT
Between your devices, how many apps do you have?The answer for many is dozens, if not hundreds. And many are designed to help us be more efficient: to keep track of growing to do lists, manage complex work tasks, or streamline communication with teams. The trouble is, many of these apps don’t talk to each other very neatly, efficiently, or at all.
So it’s no wonder that when the app orchestration solution IFTTT was launched, over one million tasks were created in just seven months. It’s a huge time-saver, enabling you to automate just about any series of events you can think of.
Zapier fills a similar need for businesses, integrating with more than 400 different web apps. With Zapier, you can automate nearly any interaction between apps, like sharing tweets to Slack, sending Reddit mentions to Gmail, and sending Github notifications to Hipchat.
These types of automation and orchestration tools take the apps we depend on every day and make them that much more valuable. The usefulness of tools like IFTTT and Zapier is abundantly clear to anyone who lives and breathes the app economy.
One area of the digital economy that hasn’t actually seen a lot of benefit from this kind of orchestration, so far at least, is the security operations space. And arguably they could use it more than anyone.
Gartner points out that 95 percent of cloud security failures are the user's’ fault, a pretty accurate statistic in our minds considering security operations centers (SOCs) are experiencing some pretty serious alert fatigue (leading to missed intrusions) from the mounting number of threats out there today.
Additionally, SOCs depend on dozens of apps to monitor everything from user behavior to malware intrusions to compliance, but just like those apps on your iPhone, many don’t speak the same language.
So, what can SOCs learn from these modern orchestration tools and how are they applicable to daily workflows? Here are five ways to enhance security processes:
1. Streamline Workflows
Security teams have a tough job. They have to simultaneously manage a flood of alerts, triage real problems, and address the highest-impact issues in a timely manner. On top of that, many investigatory tasks require performing tedious, manual work—combing through backlogs, trying to piece together the full story— before threats can be identified and mitigated. Oftentimes, analysts must piece together un-integrated systems and form their own conclusions before devising recommendations on how to respond.
Automating these workflows has always been an option, but it’s time to streamline workflows by teaching the apps to talk to each other and to provide security analysts with a clear, accurate picture based on the many incoming and outgoing data points.
2. Automate Manual Tasks
Good talent is hard to come by and even harder to retain. SOCs won’t hang onto top-notch security team members if they have to spend more time on manual tasks rather than strategically applying their expertise.
SOCs should be focused on using their expertise to analyze and make decisions, not manually fetching data and piecing together a bunch of systems. That’s what computing power should be used for.
Take triaging suspected phishing emails, for example. Without automation, analysts are required to jump from system to system to test email content for malicious attachments, phishing URLs or suspicious requests for sensitive information, leaving little to no time to respond effectively. These tasks should be completely automated and integrated, leaving more time for human insight and response — the real meat of the SOC’s job.
3. Increase Response Times
Incident response teams commonly fall behind in the daily grind of combing through alerts, prioritizing problems, and responding to threats. And the impact that missing alerts or key details on a security event has is far more serious than a Gmail attachment not uploading to Dropbox or a LinkedIn contact not syncing to Google Contacts. It means threats are slipping through and the attackers are winning. The cards are stacked against SOCs, but orchestration could be the saving grace for security professionals by providing machine-to-machine automation that saves time and costs.
4. Integrate Tools
One of the biggest impediments to operational efficiency is having to manage tons of apps that simply don’t integrate well enough. This means SOCs have to spend time chasing around data across these apps in an attempt to piece the information together. But if managing systems that don’t play well together is no longer how we handle even our personal apps (e.g. Twitter, Instagram, Dropbox) or business apps (e.g. Salesforce, Trello, Wordpress), it certainly shouldn’t stand in the way of how we do things on the security side. With security orchestration, SOCs can seamlessly connect security tools and leverage top workflow recipes to begin immediately reaping the benefits of automation.
5. Take Coding Out of the Equation
One of the big reasons why modern productivity tools are as popular as they are is that anyone can set them up, not just developers.
To date, security pros have had to beg their developers to find time to custom code workflows and integrations for them, a painful process indeed. This ad-hoc approach also comes with a whole slew of other issues, such as having to maintain a huge codebase to integrate all these apps. With the advent of security orchestration platforms looking to cut code out of the equation, all of these issues go away, effectively bridging the security-talent gap since programming isn’t a needed skill here. Security orchestration systems typically come pre-populated with recommended integrations and workflows you can immediately use, and it can also help you build your own custom ones.
This paradigm shift in operational efficiency only means good things for the SOC of the future. No more feelings of overwhelm, worries of missed intrusions, or continued alert fatigue. By automating the tedious and focusing on gaining insights for effective responses, we believe the entire security community will move forward and put attackers back in their place.
For a glimpse on how to get started with adding automation to your security operations, you can download our eBook on best practices.