Security orchestration according to the Infosec institute, “is the act of integrating disparate technologies and connecting security tools, both security-specific and non-security specific, in order to make them capable of working together and improving incident response.”
Security orchestration is a movement in cloud computing where cloud security assets are adequately diversified as to need an additional layer of management to efficiently coordinate their total impact. In other words, security orchestration is a response by companies who have migrated to the cloud, favoring a multicloud services model.
Digital transformation benefits have given many organizations reason to reposition their IT assets in the cloud. In so doing, they have also shifted how they must interact with IT service models sourced from the cloud. In many cases, this means that a company could be using dozens of services that are acting on their cloud IT unaware of other systems. Simplistically, it is like installing two security tools on one computer, only to see them detect each other as threats, and then take actions contrary to the overall intent, like flagging the other to be quarantined.
While security tools in the cloud may or may not act aggressively towards other tools, there is a good chance without orchestration they are not fully aligned. In order to deploy the best security tools from multiple vendors to protect your cloud, the solution is to add a layer of security orchestration that can integrate, coordinate, and streamline them into a centralized security management. This achieves cooperation between security services, streamlined workflows, and easier data exportation.
Automation is the technology that has most enabled the modern cloud computing environment. While cloud teams have for some time been able to manually deploy clouds and provision them with IT resources, the resiliency, responsiveness, and agility that the modern cloud is known for is provided by automation and the software that is built on top of automation (cloud orchestration, security orchestration, hypervisors, etc.). Automation, by its definition, is the performance of a task by a machine, and importantly its corollary, the removal of the human element from the task. In a single move, engineers have been able to both eliminate human error within the task (human error can precede an automated task, corruption the automation), and increase the speed and accuracy of the task completed.
A task, compared to orchestration, is narrowly defined, usually to just a single automated objective. This means an automated task, limited to just one thing to do, may simply execute a scheduled back-up, or deploy a patch, or change a device’s configuration settings.
Cloud orchestration encompasses a more complex goal, to spin up VMs and environments, provision resources, create containers, and transfer data from one place to another in response to some outside demand. This entails several complicated steps that automation doesn’t handle in a straightforward fashion.
Instead, orchestration does this by piecing together workflows made up of automated tasks. In essence, “orchestration” is much more complex than automation because it is an automation made up of automations.
To adapt to the new security demands in the cloud, cybersecurity teams are turning to Security Orchestration, Automation and Response (SOAR) platforms to help them with their growing security operations responsibilities and complexities. The main driver is the need to improve incident response times. Incident response, measured by many metrics, like MTTR or mean time to repair, can be wide-ranging, including minor incidents that are easily automated away, like correcting device configurations, to critical incidents that require more sophisticated tools and active admin involvement.
SOAR solutions are designed to coordinate people, process, and technology, which streamlines security operations, automates incident response, and improves security operations center (SOC) effectiveness.
SOAR platforms consists of three general security components:
● Automation — Automated tasks can lighten security team burdens by handling vulnerability scanning/testing, log analysis, ticket checks and audits. These automations are then collected in runbooks that outline all those processes and procedures, which are then consulted as reference, and used to maintain consistency and ensure reliability.
● Orchestration — Orchestration uses automations to connect and integrate internal and external systems and “orchestrate” larger goals, such as rapid provisioning of on-demand resources. Orchestration encompasses many different devices like endpoint protection devices, vulnerability scanners, IDS/IPS, firewalls, analytics, and security information and event management (SIEM) products.
● Response — The response component is a unified system creating a single view that allows admins to monitor, manage, and plan responses to incidents as they occur in real-time. It will also include the formal reporting, and other post-incident response activities.
SOAR vs. SIEM
A Security Information And Event Management (SIEM) platform provides live analysis of security data in a centralized platform that both IT and security teams can access. SIEMs stop at understanding security information, identifying vulnerabilities, helping with provisioning and governance, and reporting anomalies. Whereas, a Security Orchestration, Automation and Response (SOAR) solution encompasses the functionality of a SIEM and more. SOAR platforms have the same capabilities as SIEMs, with additional features found in incident response software, automated tools that fix security breaches, and vulnerability management software, like patch management tools.
Like many orchestration tools, cloud security orchestrations aim to increase visibility and control of disparate cloud security services into a centralized software by “orchestrating” complex automations. Orchestrating security this way has several main benefits:
● Streamlines Security Operations — Disparate cloud services require secure communications to exchange data, usually this is performed through APIs. These APIs can use TLS encryption, for REST APIs, or WS Security, for SOAP APIs, to protect calls and data transfers between services. Because the volume and velocity of events and threats in the cloud are increasing, SOAR automated security tools allow companies to absorb these signals without becoming inundated in the noise.
● Increase SOC Efficiency and Effectiveness — SOARs provide security operation centers (SOC) a platform for streamlining the deluge of data running between cloud services. But moreover, SOARs can integrate with security information and event management (SIEM) tools or unified endpoint management (UEM) to become the main source of truth for SOC analysts.
● Proactively Monitor and Manage Incident Response — SOARs support case management workflows that give security teams the power to create, escalate and manage incidents from a single dashboard. This becomes especially important and convenient as incidents roll in. SOARs standardize and store incident data from all its integrations across hybrid, and multicloud, in common formats that reduces duplication an provides a convenient starting point for incident investigations
● Performance Analytics and Incident Reports — A significant feature of SOARs is to consolidate information from integrated services and then produce formal performance analytics and incident reports, granting SOCs the history and satellite views of their operations that they need to make security decisions.
Cloud security orchestration software has the tools that allow organizations to visualize their networks, understand their behaviors, and set up policies that can be automatically enforced to ensure that the network remains resilient. Further, by integrating other devices, like endpoint detection and response (EDR) tools, endpoint protection platforms (EPP), intrusion detection and prevention (IDPS) software, with a SOAR platform, organizations can actualize the cloud security best practices that help keep their cloud protected. SOARs are highly capable, so the top best practices stress planning and forethought in preparation for when security runs into trouble, not if.
● Understand the Cloud Shared Responsibility Model and the Roles Involved — Unlike on-premise security, cloud security is a shared responsibility among the cloud provider and the cloud consumer. It’s more like a partnership This is a new operating concept for those who adhere to old legacy security models. The shared responsibility model outlines a framework based on the cloud service (IaaS, PaaS, and SaaS), that designates which entities are responsible for what data and systems in the cloud.
● Build a Cloud First Security Culture — Operation in the cloud requires a paradigm shift from traditional ways of thinking about security, to thinking about security with a cloud first approach. This means, for many organizations, that staff will need to be retrained in this new approach. As well, executives will need to foster a culture that adopts best practices like strong passwords, and develops new understandings, like detecting security threats born out of the cloud, like social engineering that attempts to elicit passwords.
● Consider Specialized Software to Enhance Your Cloud Security Strategy — SOAR software is a significant advantage in cloud security, however, by integrating specialized cloud security software, SOAR potentially can perform even better. For instance, API security tools provide enhanced functionality for monitoring API traffic that can be highly valuable—one use case is API discovery and inventory, which, in complex systems, can uncover “shadow APIs”.
In the cloud, providers and consumers act more like partners rather than vendors and buyers, in this way, they share responsibility for security. Because it is fair that a CSP should give their best effort to secure their client’s data, they are responsible for data inside their domain and potentially how it is encrypted leaving its domain. But that effort does have a limit, which typically begins where the client’s systems start. This is the premise of shared responsibility.
Shared responsibility encompasses both management and security. For each cloud service, a certain level of responsibility falls on the vendor, and a certain amount falls on the consumer. The Center for Internet Security models such a shared responsibility agreement.
(Source: Center for Internet Security, Shared Responsibility for Cloud Security: What You Need to Know )
Cloud security orchestration is paramount for organizations using multiple cloud services, either in hybrid or multicloud configurations. Cloud security orchestration platforms matter because they:
● Centralize Security Orchestration — Cloud security orchestration centralizes protection, automations, views and controls, empowering NOCs to make actionable decisions instead of getting lost in the weeds attempting to understand security incidents as they unfold.
● Reduced Costs — An automated centralized platform creates efficiencies that reclaim time lost to manual tasks, while analytics help security teams reach root causes quicker. These efficiencies allow teams to reorganize their priorities, delegating time consuming tasks to automation, and ultimately reducing costs and more effectively utilizing resources.
● Reduced Administration — Orchestration platforms reduce administration overhead the same way they reduce costs, by providing features that easily replace costly workflows. Now staff can be utilized more effectively.
● The Flexibility, Reliability, and Security of the Cloud — Cloud security platforms benefit from the same advantages that cloud services offer: virtually unlimited resources, guaranteed uptimes, security, maintenance, and cost management.