Introducing Security Orchestration and Automation

One of the main tasks in TSE’s research regarding the IT security market is to identify new trends and developments in product focus. One of the trends that has arisen over the last 2-3 years, covers products that allow for automation of security event responses as well as orchestration of information services to augment such incidents. In the following, we provide a short introduction to such products and conclude with an outlook to future applications and challenges.

With the drastic diversification of IT security products and targeted use cases, the number of resulting events that have to be handled has steadily increased. Therefore there is a need for consolidated management and streamlined resolution in order to relieve highly qualified members of specialized teams. SEOA products aim to do this by providing a consistent event processing engine; an integration framework for operating a set of disparate security products already deployed in the customer’s network; automation features for processing oft-occurring or repetitive tasks and case management functionality that especially covers post-automation work.

Capabilities

The core capability of SEOA products is the integration with third-party security products to conduct actions on their side or to collect information from them. This means that an integral part of SEOA platforms is the internal framework used to connect to third-party services. Besides the varying depth and breath in integrating external systems, the distribution approaches of connectors differ as well. Some products use the modern concept of an App Store (comparable with those used for mobile devices) while other methods range from automated installation through package managers to manually copying and pasting source files to the correct path. All these concepts probably have some justification, even though there are clear favorites regarding usability. Since the integration framework is often based on a specific SDK (Software Development Kit), these are usually provided to the user as well. That way, customers are granted options to develop connectors to currently unsupported or proprietary platforms, individually. These individually designed applications are sometimes used by the vendor and added to their repository or a dedicated sharing platform. Other vendors actively refuse to use customer-provided integration in order to preserve quality.

Besides integration capabilities, security automation platforms offer functionality to enrich event data from third-party sources, apply custom workflows on them or to manage events and incidents in a case management system. We also see platforms that manage, aggregate and harmonize threat intelligence to a certain extent (so-called Threat Intel Platforms, TIP) but they are strikingly different from previously defined SEOA capabilities. In conjunction, these approaches can be a valuable addition to already-in-place security architecture.

Technical Stack

For security and integrity reasons, most orchestration platforms are installed on premise. Therefore, a straightforward integration with other (also on premise) components can be achieved. Usually the installation is conducted using a virtual appliance or a software package. Some vendors also offer SaaS models for their platforms, even though they might pose challenges in this market segment. To operate successfully, SaaS-based deployments of SEOA products might require a gateway to internal services. However, this mode could violate a potential customer’s compliance regulations regarding data location and network exposure.

Scripting and automation frameworks offered in the platforms are often empowered using a commonly used programming language. Most of the time Python or JavaScript interpreters are available on these platforms. Both also offer options to encapsulate execution of code with virtual environments − a feature that SEOA vendors profit from security-wise.

Conclusion

Even though the SEOA market segment is still pretty young in comparison (some vendors were founded in 2015 or later), the technology behind most platforms seems surprisingly mature. Especially concerning enterprise readiness capabilities, which are sharply distinct. The reason for that would be the core functionality of SEOA products since integration with different external products is not only desirable but also an integral product component.

Secondly, the products in this market segment have a wide focus regarding additional capabilities. Some products focus on providing elaborate case management functions while others focus on covering automation and enrichment capabilities. In addition to these focus groups, there are endpoint security products that incorporate automation features as well as products that allow for straightforward management, collection and propagation of threat intelligence data either obtained from external threat feeds or from local components.

Just taking into account the fact that automation features are a future core component of modern IT security products, the emergence of SEOA products provide valuable additions to security infrastructures. There are also suitable use cases that those platforms can target successfully, but with some constraints. In general, it is essential to consider that use cases SEOA platforms address, often only apply to large-scale enterprises that would also have a dedicated security operations team. Secondly, the implementation of such products initially benefits from already formed and streamlined processes in place for handling security incidents. In early adoption phases, automation of complete workflows (especially when concerning critical infrastructures such as Firewalls or user management systems) might not be an option, in which case the description of processes in the form of runbooks might be helpful instead. Many products offer such functionality in conjunction with automated triggers. That way, already-in-use processes can be hardened and developed further by forcing their execution. In contrast to holistic automation of security operation processes, the automated enrichment of cases and security incidents should be the first step taken by customers who want to dive into the automated processing of security workflows. Applying these features is a proper process and helps analysts to get a more in-depth understanding of security issues and to become accustomed to partially or entirely automated incident resolution.

Who we are
The “Technology Scouting & Evaluation” (TSE) service identifies and evaluates promising IT security solutions. With this service, DCSO supports companies in staying ahead of a dynamic and ever-changing market. The centralized and unbiased evaluation process is supplemented with the experience of all community members.