Improve Your Automating and Orchestrating with Integration
 

As recent headline-making incursions make clear, cybersecurity threats are intensifying. So how do public and private organizations get ahead of the curve?

Better integration of technologies, processes and especially people may hold the key. Greater integration allows for better security orchestration, which improves threat detection and response times. But integration also paves the way for more extensive automation of security processes — which can compensate for the shortfall of skilled cybersecurity personnel facing many companies and government agencies.

Security Tool Orchestration and SOAR

When it comes to their organization’s defenses, CISOs are reluctant to put all their eggs in one basket since a single, large-scale security suite could also become a single, large-scale point of failure. Instead, they’ve sought to layer their protections by making use of multiple tools and solutions, adopting those that are best suited for a particular type of cyber defense.

But if these tools aren’t integrated, they operate as alert-generating islands unto themselves, and the amount of data they generate can quickly overwhelm a cybersecurity team. Security orchestration is the process of incorporating a diverse array of technologies into a single, multilayered security solution, so that the different components work together to provide a complete view of the threat picture and enable a coordinated response.

The methodology most closely associated with orchestration is SOAR, which was first introduced in 2017 by the analyst firm Gartner and stands for Security Orchestration, Analysis and Response.[1] A SOAR-based solution aims to:

• Coordinate the activities and responses of the different security tools that have been deployed, so that they work together without impeding one another.
• Streamline the security system’s workflow, so that each element of the organization’s defenses remains dedicated to what it does best.
• Export all the data generated by these tools in a user-friendly and organized manner.
• Allow this data to be viewed on a single console and presented in a way that provides clarity and simplicity when analyzing suspicious activity.
• Adhere to clear, easy-to-follow rules and protocols in the event of an incident.

Automation and Integration with SIEM

Before there was SOAR, there was SIEM, another Gartner term introduced in 2005 to describe the then-novel integration of security information management (SIM) and security event management (SEM). Merging the two, SIEM stands for security information and event management.[2]

A SIEM platform gathers and selects from data generated by the various elements of an organization’s security solution, such as antivirus, firewall and intrusion prevention programs. The SIEM organizes the data generated by these applications and creates reports based on this data. 

When integrated with the SIEM, SOAR programs can automatically respond to security alerts raised by the SIEM and take appropriate action. The fuller the integration, the more extensive the automation and the more immediate the response. This greatly reduces the dwell time associated with manual interventions and provides for a much more rapid and comprehensive response to an attack, substantially bolstering a company’s defenses.

But the key to all this is the degree to which the SIEM, the SOAR and the various security applications that comprise them are integrated. Without adequate integration, threat response is delayed and disjointed, as operators are forced to switch from one console to another and sift through reams of often conflicting data — much of which may be irrelevant to the immediate crisis.

Contrast this to what happens when a company’s email gateway and other systems are linked to each other through a thoroughly integrated security architecture. In this case, an event at the gateway can automatically trigger a SOAR playbook. The system automatically sequesters the suspicious file and checks the entire network to ensure that it’s been purged completely. With the proper integration, if an app containing malware is identified, the entire extended security system follows the same rules and deletes it throughout the network simultaneously. Hundreds of alerts are avoided and — more importantly — the organization’s risk level is greatly diminished.

Compensating for the Cyber Skill Shortage

With more comprehensive integration, more operator tasks can be automated — and this can be a real boon to understaffed cybersecurity teams. According to ISACA’s State of Cybersecurity 2020 report, 62% of corporate security departments are struggling to find and recruit qualified staffers, and “significant understaffing” has undermined their ability to deal with new threats. Furthermore, a sizeable minority (42%) of the groups that have been unable to fill their open positions are experiencing an increased number of attacks.[3] By integrating and automating portions of their workflows, security teams can buttress their defenses and compensate for the skills shortage.

Best-of-breed security point solutions can be effectively merged into an integrated security architecture using vendor-provided off-the-shelf integrations based on open APIs. These allow your security systems to communicate and coordinate their actions without major configuration or customizations issues. For example, Mimecast supports over 100 open APIs and offers off-the-shelf integrations with over 60 leading security vendors. So, if the email security gateway spots a threat, it can automatically trigger the SIEM to analyze it, the SOAR to remediate it, and firewalls and endpoints to block it going forward. Any manual intervention is held to a minimum.

The Bottom Line

Using off-the-shelf integrations based on open APIs to merge best-of-breed security programs into a highly integrated cybersecurity platform provides for better security orchestration — which improves threat detection and response times. Greater integration also paves the way for more extensive automation of security processes — which also improves response times and can help ease the burden on security teams struggling to find and recruit qualified personnel.

[1] “The Evolution of SOAR Platforms,” SecurityWeek

[2] “Evolution of SIEM over the Years,” Logsign

[3] “New Research from ISACA Reveals That Organizations with Unfilled Cybersecurity Roles Suffer More Attacks,” ISACA