What is Orchestration?

Orchestration is a system of autonomic actions.  A common example of orchestration is immediately responding to an event by blocking the offending address at the the firewall.  This example makes orchestration appear no more than integration. Orchestration is different, as it focuses on the process being independent of a person, a reaction of the system. 

Orchestration’s value resides in:

  • Autonomic, not automated
  • Finding trigger events
  • Scalability and Vigilance

Fluency is security orchestration before there was a term and market space for it. Fluency’s vision is the ability to scale processes, while maintaining constant vigilance to new issues.  Scaling the processes of hunting, response and tracking results in more than reducing costs.  Orchestration is always on, meaning that the processes are vigilant. 

True orchestration eliminates the staff from monitoring and performing simple tasks.  It is estimated that 95% of an analyst’s job is performing repetitive tasks.  Removing these repetitive tasks benefits the company, by shifting the type of work performed by security people to be aligned with their expertise. 

Autonomic  versus Automated

Autonomic and automated are similar to that of orchestration and integration.   For integration automates processes, while orchestration makes them autonomic.  In order for something to be autonomic, there needs to be a definable start, a trigger event.  When a particular type of event occurs, an automated process begins.  The result of a process may still need human interaction, but the human involvement in the process is much later and sometimes never.

Trigger Event

A system’s ability to determine trigger events is the greatest leap in technology for orchestration.  If a security device is capable of detecting and responding to what is sees, why is orchestration needed at all. If one product can send a block request to a firewall, why is orchestrated needed?   It is this ability to decide what is being acted on that separates orchestration from integration.

Trigger events are at the center of understanding quality and capability of orchestration.  This is why the example of orchestrating a block at the firewall is a bad example.  That example gives little insight into the correctness of that decision to block.  A trigger event is one that implements not just an action, but it represents the need to make a decision.

The ability to make a decision is why machine learning and artificial intelligence is often a criteria of orchestration.  An orchestration platform that has no decision capability is merely an integration and aggregation platform where users must hard code the decision processes and associate them with explicit trigger events.  The result is not flexible, and is people intensive, the opposite of what orchestration has to offer.   

Scalability and Vigilance

Orchestration is powerful. It removes people from the equation, making it scale and be vigilant.  While much of the focus is on increasing the productivity of staff, the true power of orchestration is its ability to shift staff away from routine jobs.  This aspect is important, as the amount of data is increasing dramatically.  Reducing the amount of data is a mistake, for as stated, the key aspect is decision and decisions are driven by data. The only means to both take advantage of the increased data and to perform operations within a budget is to automate the detection and validation of events through correlation.


The purpose of this article was to provide a solid understanding that orchestration is the autonomic implementation of a decision oriented process.  This is the foundation of Fluency’s design. The process starts with a decision on an event that triggers an autonomic process.  Fluency’s orchestration can hunt, scope, notify, respond and track in an autonomic manner. The advantage is that the processes scale with the amount of data and are vigilant.