Let’s imagine you are designing a new city. You want this “city of the future” to be an ultra-efficient urban dwelling, hyper connected with easy-to-use public transportation (take notes, Boston). Would you design and build your entire city, and then decide how to connect it via these different transportation methods?
In short, no. If your true goal is to have a connected and efficient city, then you’ll be thoughtful throughout the development process to make sure your design supports this type of hyper connectivity and maximization. At Rapid7, this same thought process can be applied when you are looking to implement security orchestration, automation, and response (SOAR) in your environment.
SOAR can help maximize efficiency by giving your security team the ability to integrate your disparate security tools and automate manual, time-intensive security-related processes so that you and your team’s time can be spent much more strategically. Not only will you be able to break down various barriers within your security team, but also in other areas of the business.
And just like designing a city, you should take certain factors into consideration when building your security stack so that you can enable security automation and orchestration. With a thoughtfully implemented tech stack, you’ll likely see larger returns and more possibilities.
So, how do you build a tech stack while planning for security orchestration and automation? We’ve got a few pointers:
1. Evaluate Your Security Processes
To start, think about the processes you and your team spend most of your time performing. By looking at each process from a high level, you should be able to answer the following questions:
- What are the overarching goals of the process?
- Are the tasks well defined and repeatable?
- Is the process achievable for your current team and tool set?
- Will the process scale?
Next, dig deeper into these processes. Map out each step. What kicks off the process? What other tasks need to occur? Are there other teams involved?
This should also give you an idea of where human insight might be helpful. It may be possible to completely automate some of these processes, but in many situations you will want to layer human checkpoints between automated actions.
When you begin to implement security automation and orchestration in your environment, starting with these time-intensive processes and running through this checklist will provide quick wins to build a successful security orchestration and automation foundation.
2. Audit Your Current Suite of Security Tools
With the processes you have just evaluated, what associated tools do you use? Keeping tabs on these tools will be an important part of the design. Your current manual processes will likely involve using multiple products, as will your automated processes. You’ll want to list each of these tools out, and understand how they will fit into your automation goals.
The next questions to consider revolve around vendors and openness. When auditing your current tech stack, ask:
- Do these vendors and tools have open APIs, and if so, how open are they?
- Are their APIs well-documented?
- How often do these APIs change, and how are these changes communicated?
- Do these vendors offer support for developers who look to utilize their APIs?
- Are they commonly announcing technical partnerships with other vendors?
- Is there a cost associated with accessing their API?
These are a few key points that will help you determine the level of effort it will take to build automation between your tools. And for future purchases, you’ll be better equipped to pick the right technology for a security orchestration and automation-enabled stack, ultimately helping you get more value from your suite of tools.
At this point, you can also get more granular with the requirements for your tech stack. There will be scenarios where certain actions won’t be a good fit for automation, and a vendor will have a good reason for not exposing it via the API. If certain functionality that you require is not available via the API, determine which tools and actions, and how they’ll fit in with your new, automated processes. Oftentimes, these tasks are great candidates for a person to perform. Which leads me to my next point ...
3. Highlight Automation Gaps and Determine Human Checkpoints
As you identify gaps in your processes and technology with relation to implementing security orchestration and automation, you’ll need to think about how these non-automated tasks will be handled.
You have a few options:
- Work with the vendor to understand their roadmap. Are they moving in a direction that will enable automation?
- Apply pressure where necessary. If their roadmap does not line up with your automation goals, you might consider investigating alternative solutions.
- Mark that step as an area where human intervention may be necessary. Whether you’re working with a vendor to get that action added to the API or you’ve determined that the task is too risky for automation, partially automated processes still provide value to your security team.
It’s important to understand that human intervention does not reflect failures in the process itself. There will be tasks that you may not feel comfortable automating, so you’ll want to make room for human decision points in those scenarios.
This is where a security orchestration, automation, and response solution shines. Unlike custom-built orchestration and automation, a security orchestration and automation solution like Komand is designed to complement your security team by providing building blocks for automation, and allowing an automated process to pause so a person can step in and provide needed context or perform a business-critical task, such as patching a production server.
Another benefit of a security orchestration and automation solution? A library of integrations at your fingertips, with the APIs and data structures managed by the vendor. You won’t need to spend time maintaining APIs or chasing down the documentation—you’ll be empowered to build automation right away, instantly providing value to your team and company.
Maximizing Your Technology Investment with Security Orchestration, Automation, and Response
If your team wants to maximize efficiency and connectivity through security orchestration and automation, I urge you to take the aforementioned considerations into account with every building block that you put into place.
Security orchestration and automation can act as the glue that will connect the people, processes, and technology of your security program together so that you can achieve maximum efficiency. And with a solution in place like Komand, you’ll bolster the capabilities of your tech stack, allowing your team to actively respond to threats faster than ever before.