Ask a group of security analysts about the challenges of working in cybersecurity, and you’ll likely hear some common themes....
Related Category: Security Operations
Type of Content: Articles
Considering these challenges, it’s no surprise that security teams feel perpetually overwhelmed.
Many teams have turned to security orchestration, automation and response (SOAR) tools as a remedy.
A SOAR tool can orchestrate security actions (like investigations, triage, and response) across various security products in a team’s arsenal, and automate otherwise manual repetitive security tasks.
But not all SOAR tools are created equal. A best-of-breed SOAR solution will provide a set of capabilities that can completely revolutionize how you do security operations. These capabilities will allow you to:
There are 10 essential capabilities of a best-of-breed SOAR tool that will allow you to achieve these outcomes.
|Orchestration||The machine-based coordination of complex workflows across disparate security tools should increase the efficiency and speed of your security operations.|
|Automation||The machine-based execution of otherwise manual, interdependent security actions using “playbooks” should allow you to execute in seconds versus hours.|
|Event and Alert Management||An event and alert management capability in a SOAR tool should queue and prioritize inbound security events and alerts to help analysts perform triage more efficiently.|
|Case Management||A case management component should drive a broader, cross-functional lifecycle (from creation to resolution) of a security case.|
|Collaboration||Built-in chat and notes can facilitate communication across the security team, and thereby accelerate the resolution of security events.|
|Metrics and Reporting||Metrics and reporting are critical to understanding the effectiveness of the SOAR tool and identifying where improvements can be made to increase ROI.|
|Mobility||Control of the SOAR tool from the convenience of the analyst’s mobile device will allow for faster response times and easy alert triage — all on-the-go.|
|Scalability||A SOAR tool should grow with you as your organization grows. As an organization adds more use cases over time, there will be additional processing load placed on the platform.|
|Open and Extensible||A SOAR tool should easily support incorporating new security scenarios, new products, new actions and new playbooks.|
|Community Powered||A SOAR tool must support a strong community model and make sharing of integrations and playbooks easy.|
Let’s take a deeper look at each of these capabilities:
Orchestration is defined as the machine-based coordination of complex workflows across different security tools and is an essential capability for a SOAR tool.
When a security team responds to a security incident, they use a multitude of different security tools to respond. Each tool plays a different role within a defined workflow (depending on the type of security incident). For instance, tell VirusTotal to check a file’s reputation, use your firewall to block an IP, and then use your endpoint security tool to block an executable. Without orchestration from a SOAR tool, the security team would coordinate these workflows manually. But a SOAR tool will integrate across all of these deployed security tools via their API, and then coordinate workflows across these tools to detect, investigate or respond to particular security incidents. For comparison, if your security tools are instruments that comprise a symphony orchestra, your SOAR tool is the conductor, ensuring that every instrument is playing in sync and on time.
When evaluating a SOAR tool, the orchestration function should direct and oversee all activities relating to a given security scenario from beginning to end. It should be able to ingest security data from any data source and in any format. It should be able to receive data that is pushed to the platform, and it must have the ability to poll data sources and ingest data into the platform. Furthermore, an orchestrator should ensure that the output data from one action is properly parsed, normalized and structured so that future actions can make use of it.
Automation is defined as the machine-based execution of otherwise manual, interdependent security actions using “playbooks.” In other words, it’s the workhorse of most SOAR tools. While the orchestrator enables integrations and coordination across security tools, playbooks automatically execute the interdependent actions from each security tool in a particular sequence — without the need for human interaction.
For most security analysts, their day is filled with too many repetitive and mind-numbing security tasks or actions. These actions are manually executed by the team. Automation using playbooks should allow the security team to execute a collection of these actions in seconds, versus minutes or hours if performed manually. For instance, phishing investigations that may require the use of multiple actions across four to five different security tools, and take approximately 40 minutes to perform if done manually, should now take under a minute using an automated playbook. In this way, SOAR tools can drastically reduce the meantime to detect (MTTD) and mean time to respond (MTTR).
Playbooks should be easy to create and modify. The automation editor within a SOAR tool is where an analyst or manager codifies their processes into automation playbooks. The editor should allow for both source code editing and visual editing. This allows all security team members, regardless of preference or coding expertise, to construct comprehensive and sophisticated playbooks. While constructing the playbook in a visual editor, the resulting playbook source code should be generated in real-time and be accessible to the author — with seamless toggling and editing between the visual and source code editor.
The visual playbook editor should be intuitive and user-friendly, providing a canvas where visual playbooks can be constructed. Using blocks and other shapes to represent meaningful steps in the playbook, a user should be able to build a playbook that connects actions in a one-to-one, one-to-many or many-to-one fashion to dictate the order of execution. Each shape should represent different action executions, platform API calls, conditional statements (if/then), human interaction prompts and branching statements. By clicking each shape, you can manually enter the action or parameter, or select them from a list. Also, new information resulting from preceding action executions should be available as inputs, or parameters, to downstream actions or decision blocks.
>> Download Article to continue reading.
In today’s modern business world, one of the latest trends that creates a buzz is the Bring Your Own Device (BYOD) policy. As its name implies, it’s a practice that allows employees to perform their company tasks using their own devices. If designed and implemented correctly, BYOD can help your business maintain successful operations while improving employee satisfaction and productivity.
It’s no secret that the internet greatly transformed and changed how humans perform their daily tasks. For example, if you want to connect with the world, you may use social media apps. Additionally, you can check out some eCommerce platforms for a hassle-free online shopping experience.
FortiOS, the Fortinet network operating system, is the heart of the Fortinet Security Fabric. This operating system, or software, is at the core of the Security Fabric and ties all components together to ensure a tight integration across an organization’s entire Fabric deployment.
In order to stay competitive and reduce costs, smart enterprises are constantly on the hunt for disruptive ways to leverage technology. They’re moving towards hybrid IT environments because they recognize the benefits of faster implementations and high cost savings that come with moving from on-premises to cloud-based applications and infrastructure.
In the decades since “cloud computing” first achieved buzzword status, its benefits have been widely proven. And now that the shift to both dynamic work environments and digitized customer experiences has rapidly accelerated, migrating these applications to the cloud is more important than ever.
Organizations are rapidly adopting digital innovation (DI) initiatives to accelerate their businesses, reduce costs, improve efficiency, and provide better customer experiences. Common initiatives involve moving applications and workflows to the cloud, deploying Internet-of-Things (IoT) devices on the corporate network, and expanding the organization’s footprint to new branch locations.
There’s a lot of truth to the statement that all companies are technology companies. After all, the core focus of a technology company is to deliver software, whether internally to empower the workforce or externally to serve customers. Technology companies also maintain servers to create, collect, store, and access data—which is now the norm for organizations worldwide, whether public or private, commercial or enterprise.
The drawbacks of passwords are well known – simply put, they can be hard to remember, easy to hack and a general nuisance for both end users and security personnel. However, passwords remain a staple of many organizations’ security frameworks, despite the fact that the cybersecurity industry has been calling for the death of passwords for nearly 20 years now.
Retail banking includes traditional players such as brick-and-mortar banks that operate at community, national, or even international levels. It also includes many new players, such as challenger banks that only operate online, financial technology companies (FinTechs), and nonfinancial companies seeking to disrupt the status quo and compete for market share, such as Amazon, Apple, and Facebook. Unlike traditional banks, these new players are often digital natives that bring some strategic “big-tech” advantages to serving customers in an increasingly online world.
Device trust is the process of analyzing whether a device should be trusted and therefore is authorized to do something. It’s critical that the devices accessing company data are trustworthy. Determining which devices should be trusted is a unique decision made by each organization depending on their risk tolerance and compliance requirements.