How Security Orchestration Optimizes Time-to-Response in Enterprise Security Operations

Last updated at Tue, 05 Dec 2017 23:46:41 GMT

On average, it takes companies six months to discover a security breach. In that time, attackers can do serious damage. In fact, the reality is that hours and even minutes matter when it comes to security breaches, which can cost companies thousands of dollars per hour and an average of $4 million per incident. Tick tock, tick tock.

The good news is that today’s security technologies are speeding up and optimizing time to response (TTR) in enterprise security operations. Below, we’ll explain how security orchestration in particular can make a huge difference when it comes to responding to threats in a timely fashion.

Part One: Speeding Up Detection

Of course, you want to respond to security incidents as quickly as you possibly can, but you can’t respond to incidents you don’t know about. So the first piece of speeding up TTR is speeding up detection. Orchestration can help you speed up detection by enriching the quality of the security alerts you receive.

Enterprise security experts are all too familiar with the nonstop alerting that is often the hallmark of security information and event management (SIEM) products. There’s no question you want to get alerts about incidents that matter—ones that require further investigation and action. But if you are dealing with hundreds or thousands of false alarms every day, that reduces your odds of being able to respond to the ones that actually mean something.

To help you execute the delicate balancing act of keeping up with SIEM alerts, security orchestration integrates your systems to automate the querying of logs, lookups, and more. That means fewer false positives and more time to focus on real threats.

Part Two: Speeding up Investigation

Once you know that a real security incident has occurred (not just another false alarm), you want to investigate the incident as quickly as possible. Easier said than done with disparate systems that don’t talk to each other or present data in an easy to digest format.

As an example, let’s take a look at phishing emails. If you’re alerted to a potential phishing attempt, you want to investigate the details fast. Historically, security analysts would need to manually search for malicious attachments, track down phishing URLs, and pinpoint suspicious requests for sensitive information.

This requires experts to jump from email to logs to threat intelligence sources, testing hypotheses and put into context what exactly happened. But manual investigation can take a long time, which of course extends TTR.

With orchestration in play, your security team can automate routine investigatory tasks, so that they can focus on applying human analysis where it matters and not digging through logs to pinpoint minute details.

Part Three: Speeding up Response

Once an incident has been detectedand investigated, it’s time to respond. Response can range from sending a malware poison pill to revoking unauthorized user access, depending on the incident. Regardless, the faster this happens, the better you’ll be able to contain the damage and minimize recovery efforts.

Let’s continue with the unauthorized user example here. Let’s say you discovered that a former employee has been logging into your system and siphoning off corporate IP to share with a new employer. Orchestration can speed up the response portion of the process by locating the user across all of your services and quickly shutting down their access all at once. Orchestration makes it possible to automate the removal of users, protecting systems and data within your organization.

Orchestration Brings Incident Response Together

The reason orchestration is able to speed up time to response is that it allows each of your servers, systems, and software programs to talk to each other and work in harmony. Setting up automated workflows between all these components means that you don’t have to jump between vulnerability management, user provisioning, and threat intelligence to piece together the full picture of an incident.

Anything machines can do better than humans should be automated, and that’s what orchestration is all about. That way, our human security experts can spend their time providing the unique insight and analysis that computers will never be able to replicate. It’s the best of both security worlds, made possible by orchestration.