As the security market undergoes fundamental shifts towards adaptive and risk-based security, there is a growing demand for innovations and new technologies that increase an organization’s effectiveness. Automation of processes and intelligent coordination across disparate systems help besieged organizations to resolve operational issues and rapidly improve efficiency.
Objectives in SAO
· Central Correlated Log Management
· Focus on detection, recovery, and response
· Repeatable and Measured Processes
· Scale through Automation
· Adaptive Security
After watching the period of disruption caused by the introduction of Cloud-based business models and gaps in prevention technology, we haven’t yet seen security processes adjust in most medium-to-large organizations. This lack of recognition is amplified by processes continuing to rely on manual and outdated processes in detection and response. Actions like email and manual validation of events hinder the ability to detect and respond. This leaves our systems vulnerable by increasing the gap between recognition and implementation. The result is inefficient responses with a significantly longer response and containment times. As noted in the Verizon breach reports, this directly correlates into significantly higher costs.
This does not mean the end of life for current prevention-based security controls. A true SAO approach leverages prevention, and at the same time modernizes the processes needed to implement a response. SOA addresses the need for timely response and scalability.
According to Gartner, “Many organizations lack established organizational knowledge of detection and response strategies in security because preventive approaches were the most common tactic for decades. Skill sets are scarce and, therefore, at a premium, leading organizations to seek external help from security consultants, managed security service providers (MSSPs), and outsourcers.” (Gartner Newsroom, March 2017)
Innovative CTOs and CISOs are realizing that the all too common “expense-in-depth” strategy usually leads to wasteful spending and an overwhelming number of security alerts for already strained monitoring and analysis staff. A March 2017 Forrester report titled Breakout Vendors: Security Automation and Orchestration – SAO stated, “Simply put, we have too many technologies and not enough people.”
While the modern enterprise may have dozens of existing products for specific security functions, each usually requires a human analyst to monitor the activity manually on a screen waiting for anomalies to validate and report. Placing lower end personnel to review this data, means that the least qualified person is making security decisions.
SAOs automates these mostly mundane tasks, by performing actions automatically and only seeking human input when an actual decision of consequence must be made. Instead of replacing any element of an organization’s existing security posture, SAOs are designed to use the different strengths of various software programs, data collection and analysis, and technicians in the most harmonious way possible.
The most effective SAO tools recognize that while no one is an island, neither is any single security product. Thus the need for coordination of all security assets into an integrated user interface and messaging system is paramount. These systems should also have the ability to autonomously implement changes in this environment as anomalies are detected in real-time. Unlike the many solutions that have been introduced over the past decade, this truly has the potential to upgrade security processes and offer an increasing return on investment for years to come.
SAOs offer managed and measurable policy-based action based on prioritization and validation and therefore, align automated response to risky and critical issues. By spanning multiple devices and interfaces they allow for rapid detection and a quicker, more accurate, and efficient response process. As automation has already become a household name in many other product circles, it’s now time to cede control of security monitoring and response to help organizations become significantly more efficient, as well as secure.
Chris Jordan is CEO of College Park, Maryland-based Fluency (www.fluencysecurity.com), a pioneer in Security Automation and Orchestration.