Security orchestration: beware of hidden financial costs

Security orchestration: beware of hidden financial costs

Among the many improvements in cybersecurity technology and tools we have seen in recent years, one of the most significant has been the inclusion of security automation and orchestration capabilities in solution categories beyond SOAR platforms. SIEM vendors acquired stand-alone SOAR platforms, and endpoint detection and response (EDR) solutions were expanded to include automation and orchestration capabilities to accelerate threat detection and response. What’s next?

Previously, I focused on the evolution of automation from a process-driven to a data-driven approach to unlock even greater efficiencies and effectiveness. Here, we’ll take a closer look at how orchestration is evolving and providing additional benefits.

First a bit of level adjustment. We tend to talk about orchestration and automation at the same time and use the terms interchangeably, but they are quite different. Automation is about making steps (for example, searching for a domain or blocking a port) happen faster to increase the efficiency of security operations. Whereas orchestration is about making multiple systems in the Security Operations Center (SOC) work together so that you can detect, remediate, and respond across the infrastructure.

Integration provides plumbing

With that definition, the first thing that comes to mind when you think of orchestration is integration, so that disparate systems can communicate with each other despite using different languages ​​and formats. Most organizations have a complex cloud-based and on-premises security infrastructure consisting of multiple products from multiple vendors to create layers of defense, including firewalls, IPS/IDS, routers, web and email security, and more. endpoint detection and response (EDR) solutions. They have SIEM and other tools that host internal threat and event data (ticketing systems, records management repositories, case management systems) and a range of external threat intelligence feeds and sources. An extensible, open architecture platform enables strong integration and interoperability with your existing tools and new security controls to address emerging threats, providing a flexible path for orchestration.

Data-driven enables better decisions

However, as more security teams go down the path of automation and integration, another important aspect is emerging: the financial consequences based on how some of the tools you connect to are licensed. The more data you send to certain systems, the more charges you may incur based on the amount of storage used. And some of the services you use may have a “pay per drink” model. You may have a limited daily capacity of searches, and each search is subtracted from the total allowed. Once you exceed that limit, additional fees are imposed. If you’re driving automation and orchestration with a process-based approach, disregarding the data being processed, actions are taken based on events that aren’t high priority or even relevant. Few security teams think about the financial impact of storing unnecessary data or constantly querying their systems without a solid foundation to do so.

The best way to make better decisions to avoid these unintended financial consequences is to turn on automation and orchestration only on relevant things. How do you do that?

A data-driven approach, where you contextualize first to make sure whatever action you’re automating has value, can ensure you’re consuming license capacity on events that really matter. With a platform that aggregates, normalizes, and correlates internal and external data, you can tap into the wealth of all available data to get a complete picture of what’s going on. This includes contextualizing the data with additional intelligence, such as internal observations of network activity and file behavior. Now you can turn to external data sources to learn more about campaigns, adversaries, and their tactics, techniques, and procedures (TTPs), confident that when you search for associated artifacts in other tools across the enterprise, you’re not sending irrelevant requests. or consume unnecessary storage.

With the scope of malicious activity and all affected systems identified and confirmed, you can orchestrate a comprehensive and coordinated response. You can take the right actions across multiple systems and send associated data to the right tools in your defensive network immediately and automatically to speed response. Blocking threats, updating policies, and resolving vulnerabilities are done faster. A data-driven approach also leverages two-way integration to send response data to a central repository for learning and improvement.

There’s a lot of value in getting systems to work together, but don’t overlook the clear connection to your wallet when you automate and orchestrate workflows across different systems. A data-driven orchestration approach helps you make the right decisions and take the right actions faster, with the added value of reducing the impact on your budget.

Learn more at SecurityWeek’s (virtual) Security Operations Summit

watch counter

Marc Solomon is director of marketing for threat quotient. He has a strong track record of driving growth and building teams for fast-growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient, he served as vice president of security marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting, and HP. Marc also serves as an advisor to various technology companies, including Valtix.

Previous columns by Marc Solomon:

Leave a Comment