Empowering Security Teams With Threat Intelligence, Automation, and Orchestration

January 10, 2019 • The Recorded Future Team

Key Takeaways

  • Security orchestration is the process of automating workflows across an infrastructure of connected applications.
  • When combined with threat intelligence, orchestration can dramatically reduce the human effort required to complete normal security processes such as responding to reported phishing emails, identifying and prioritizing vulnerabilities, and resolving security incidents.
  • Orchestrated incident response leads to faster and more consistent handling of security incidents, reduced reliance on individuals, and a variety of other benefits.
  • The orchestration journey is a long road, but there are significant process and outcome improvements at each stage.
  • Threat intelligence plays a vital role in security orchestration, as it enables automated systems and processes to make decisions (for example, classifying and prioritizing incidents) based on the latest threat insights and data.

Security teams are facing a huge challenge. The volume and complexity of cyberattacks grows every year, and security professionals from all disciplines are being pushed to the limit of their time, skills, and resources.

In recent years, automation and orchestration have become popular with security teams, because (when done properly) they reduce the burden placed on human analysts. So how can organizations begin to improve incident response times and drastically reduce the human effort required to complete security processes?

In this blog, we explain how threat intelligence, automation, and orchestration fit into the security function and what benefits they can provide.

What Is Security Automation and Orchestration?

To kick things off, here are some key definitions:

Automation is the use of technological controls or systems to complete processes that would normally be handled by personnel. While automation was originally limited to simple, repetitive tasks, recent technological advances have made it possible to automate more complex security processes.

Workflows are the step-by-step processes through which a task or series of tasks is completed. In the security world, these are often referred to as “playbooks.”

Finally, orchestration is the process of automating workflows across an infrastructure of connected applications. For example, orchestration in vulnerability management might require API integration of a vulnerability scanner, a threat intelligence solution, and a ticketing system.

When security orchestration is pulled off successfully, it provides a whole host of benefits, including:

  • Freeing human analysts from time-consuming and repetitive tasks
  • Greater consistency in security processes, such as event escalation
  • Quicker results — automated processes are faster than manual processes
  • Reduced staffing and allowing personnel to focus on higher-value tasks

Security Orchestration for Incident Response

Responding to security incidents can be an extremely manual and time-consuming process. In addition to the work required to investigate and remediate an incident, incident response analysts are forced to spend a huge amount of time switching between screens and technologies to access the information and functionality they need to do their jobs.

Naturally, then, security orchestration and automation has potentially huge benefits for incident response teams:

  • Faster Response Times: Orchestrated incident response requires consistent, honed processes, integration across security technologies, and judicious use of automation. This combination enables IT analysts to process incidents in an extremely efficient and consistent manner without needing to repeatedly switch back and forth between technologies.
  • Simpler Workflows: Even the best incident response processes often require complex, multi-step workflows. By automating time-consuming and repetitive tasks, incident response teams can focus their energy on higher-value tasks.
  • Better Cross-Departmental Working: Responding to security incidents often requires input from other departments, like the IT helpdesk, HR, legal, and even marketing or PR. In many cases, automated workflows can drastically improve the process of assigning, tracking, and completing tasks across an organization.
  • Reduced Reliance on Individuals: Even established security teams can expect to see a natural variation in skill levels across different activities. Unfortunately, if you aren’t careful, this can lead to an overreliance on individuals to complete certain incident response tasks. Security orchestration helps mitigate this issue by forcing incident response teams to develop and document strong, consistent processes that help junior personnel develop their skill sets.
  • Enhanced Ability to Identify and Prioritize Serious Threats: When threat intelligence is built into security orchestration, the result is sometimes called “intelligent orchestration.” The inclusion of threat intelligence as part of an API-integrated security function facilitates the automatic identification and prioritization of serious threats, which is crucial in a time-sensitive environment such as incident response.

To understand how an orchestrated incident response function works in practice, consider a simple use case: Your endpoint detection and response (EDR) solution identifies a suspicious process as it attempts to connect to an external server. If such an incident were investigated manually, an analyst would (at the very least) need to:

  • Log a new incident
  • Write and run a SIEM query, pulling all relevant events into a CSV file
  • Identify an MD5 hash for the process and compare it to threat intelligence feeds
  • If the process is confirmed as malicious, create a backup of the affected assets, isolate them from the network, and run an AV scan
  • Update the incident record, attaching all relevant log files

Conservatively, this process could take an analyst 30 minutes to complete, and would need to be done every time a suspicious process is flagged. The orchestrated version of this process — which incorporates threat intelligence and automation — looks similar, but requires almost no input from a human analyst:

  • EDR identifies a suspicious process and an incident is automatically generated
  • The process is compared to threat feeds and prioritized as a serious threat
  • The SIEM is queried, and relevant records are added to the incident
  • IOCs from the incident are compared with threat feeds and confirmed as malicious
  • Based on threat intelligence, the incident is categorized as a malware attack
  • Remediation process begins (creating backups, isolating endpoints, running AV scans)
  • An audit trail is kept automatically

With a version of the process like the one above, if an analyst needs to run additional queries or take further action, they can do so, because they aren’t having to expend all of their time on slow, repetitive processes.

The Evolution of Security Orchestration

While orchestration clearly has applications outside of response-based security disciplines, incident response is a sensible place to start because it’s the point at which most security solutions and processes intersect.

The journey toward a fully orchestrated incident response function is a long road. Fortunately, as each stage of the journey is realized, there are potentially huge advantages in key areas such as improved time taken to detect and respond to security incidents.

Of course, as beneficial as orchestration and automation can be, particularly when combined with threat intelligence, there is one important thing to keep in mind.

Automated and intelligent workflows can dramatically improve efficiency and consistency in security processes, but only if the underlying workflows are well designed. If you move forward with automation and orchestration before you have solid workflows in place, you’ll end up missing things or making serious errors — and nobody will pick them up, because the human element has been removed.

As with all security endeavors, then, it’s important to keep in mind that the order of improvement should be:

People → Processes → Technology

Once you have well-trained personnel and strong processes in place, committing to a program of integration, automation, and orchestration can revolutionize your security program.