Orchestration and automation are two terms gaining notoriety, praise and progress in cybersecurity. Automation can save an organization 30% or more of their time allowing analysts and engineers to focus on more complex tasks. This time translates to 100’s of thousands of dollars over the course of a year. With so many options to choose from, having basic steps to understand the workflow is imperative. This article will dive into the ins and outs of automation and orchestration and provide tangible steps any organization can take to transform their business and bottom line.
Brief History of Automation
While the idea of automation can be traced back to ancient times with the Mayans and the Greek, the term automation wouldn’t be used formally until the 1900s in the automobile industry. This is where people working the assembly lines were replaced by robots to reduce cost, improve efficiency and increase speed of production. Adding this function to the factory meant that robots could work 24/7/365 and produce products and results at rapid speed. Over time, this process grew, moving all industries to adopt automation in their product development and revamping the way we look at this process. Security was no different.
What are Automation and Orchestration
We sometimes see these terms used interchangeably through the security and IT space; however, these terms are not the same and shouldn’t be confused. In basic terms, automation refers to setting up one task to run on its own. So think scheduling a job to run backups everyday. You configure the task to run everyday at 8pm and the system will run this task automatically with limited to no human interaction.
On the other hand, orchestration is automating a series of individual tasks in a workflow or process working together to accomplish a common goal. Orchestration is like an orchestra, various instruments working together to make a beautiful sound and song. You could have each individual instrument playing but then the whole picture would be missing.
In the security space, the acronym SOAR is often used to describe the convergence of Security, Orchestration, Automation, and Response adding the security elements and incident response elements to the mix.
Why SOAR? Challenges and Benefits
As security threats continue to increase and the number of skilled cyber professionals is still low, organizations are more susceptible to alert fatigue, missing intrusions and being attacked through various holes in the organizations. Organizations also suffer from a lack of resources such as funding and training causing analysts and engineers to seek employment at new organizations leaving the company more vulnerable. The biggest challenge for organizations is understanding their entire ecosystem. This ecosystem includes assets, data, applications and people. You can’t secure or respond to incidents if you do not know what is going on in your space.
While these are challenges, there are ways to combat them and get tangible benefits from implementing automation and orchestration in your environment. One of the biggest benefits is getting a grasp on what your ecosystem looks like. SOAR allows companies to reduce cost by automating routine, mundane tasks. Analysts and engineers are able to push some of their workload on the system and dive into more complex issues in the environment, thus providing a much more rewarding and challenging environment. Another benefit of SOAR is reduced human error. When you automate tasks, you won’t get eight different views on the topic because you have programmed the system to look at specific data to provide an answer to help your teams respond better to potential issues.
The 5 W’s plus How
Understanding what SOAR is, is the first step in moving towards automation and getting comfortable with orchestration. But how do you implement this in your environment? Let’s take it back to the basics: the 5W’s+ H. The who, what, where, when, why, and how.
Before moving forward with just implementing automation and orchestration, you have to identify the key stakeholders in the organization that should be involved with the conversation. These stakeholders should include:
- Analyst – This person will be on the front line handling any and all incidents that occur. The Analyst is also included in the development of the incident response as well as operational runbooks.
- Engineer – This person will be responsible for ensuring any SOAR technology that is purchased is maintained and fine-tuned throughout the implementation process.
- Business Unit Rep – These are people that can provide insight into their requirements as it pertains to their specific needs. This group is optional but there should be representation.
- Program Sponsor – This person advocates for the benefits of the program and helps push it through to senior leadership as needed. This can be the head of the security department or other IT department that understands security as well as the business requirements.
- Program Manager – This person helps keep the program on track throughout the program lifecycle.
Other individuals may be involved in the process based on specific organizational needs and requirements.
Now that the key stakeholders have been identified, let’s look at how processes are currently being handled. What Use Case(s) should we be looking at? This is where established runbooks or SOPs come into play. If these aren’t created or documented anywhere, now is the perfect time to start!
When thinking of what processes to automate, look at things that are time-sucks for your analysts. What hardships are being expressed? What redundant tasks can be reduced or removed? What additional resources are being used that aren’t needed? These are some of the questions that should be asked. This will lead to identifying processes that may not even be useful anymore or that can be tweaked for efficiency. Every process does not need to be automated nor can it be automated. Therefore, identify those now and continue the process of identifying what can and should be automated.
Once we have stakeholders and understand which processes we have that can be automated, we need to know where assets, data, applications, and people reside in your ecosystem and how your processes will interact with each of these. Here is where orchestration is important. Being able to successfully orchestrate changes and updates throughout your environment across firewalls, and through other networking and endpoint devices is vital for a fully functioning program.
Network diagrams that include both on-prem and cloud based assets help with determining what tasks should be automated and which shouldn’t. Consider the criticality of each system to determine which tasks should be manual or automated.
Understanding when automation should happen and when manual intervention needs to happen falls in like with the what should be automated piece. Understanding the pain points, the cost benefits to automation, and the growth potential and scale of your business will all play a factor in when automation should occur. Make sure your organization starts looking at the costs they will incur compared to what will be saved as you start to move to automation.
The biggest question of all and should be the first thing you think about is, why do you want to automate. The why encompasses all the other areas; the who, what, where, and when in this equation. Before you even move into the automation and orchestration world, you have to know the reason you are doing it. This will help you better formulate a process to get it started. Think about what the end goal is and what success looks like for your organization. Capturing metrics on the program progress will continue to keep your organization in line with the ‘why’ of automation.
So, how do we do this and how do we start? Some of this has been mentioned earlier but having a short checklist of things to do can help you tackle this process more effectively.
- Start small. Don’t go in guns blazing like the wild wild west. Doing that will cause burnout from all levels and the buy-in for this may disappear. Build a plan that tackles some of the low hanging fruit and that can produce quick wins and a positive ROI for you and the organization.
- Build a plan that can scale to more complex issues and tasks. Having a roadmap of where you are trying to go and what success looks like, you can stay on track and continue to report on your success or any hiccups.
- Identify your assets, data, and people that will be part of the development of the program.
- Build your run books if you don’t already have them. This makes automation run more smoothly and allows you to update or remove processes.
- Identify technology to assist with this program. Technology hasn’t been mentioned until now because before you purchase millions of dollars worth of tools, understanding your requirements and your environment is vital. Every tool will not work for your budget or your company so think about technology as one of the last steps before fully implementing a program.
- Continuous monitoring should be in every program you bring into your environment. This is important to keep track of success and failures, and determine where you shift gears and go another route.
- Have fun with it. Automation and orchestration are helping your organization and your teams be more efficient and get into some of the more challenging and complex issues. The success of this program relies on the success of your teams.
As time goes on, more and more organizations will be bringing more automation in their environments and will start to see the true value of a program. Implementing such a program has a lot of moving parts so prepare yourself now. Once you start, keep going, keep improving the program, stay engaged.