Managing incident response is an important task for any IT or security manager, making a plan of action for staff to follow in the event of cyber attacks or security breaches and using the tools at your disposal to mitigate any risks. To assist with this sort of planning, two main approaches and technologies have emerged - autonomous incident response and security orchestration.
While both approaches aim to make life easier for IT security staff and to improve security for big and small businesses alike, they differ in their approach. Automation of security seeks to cut out the human element of system defence by, obviously, automating tasks and acting autonomously in response to attacks and reports. Security orchestration, on the other hand, aims to bring technology and security staff together to streamline incident response, making the most of the benefits of both automated reporting and human decision making.
Security expert Bruce Schneier compares the two approaches to modern military thinking, where a huge effort in data gathering, surveillance and automation has lead to a much more intelligence-led approach to operations. Schneier notes, however, that despite the enormous amount of data now collected and processed by military forces around the world, ground troops and human resources are still vital - and the same, he claims, applies to the IT and security industries.
Supporting orchestration over automation, he suggests that as good as automation and reporting might get, there is currently no substitute for the flexibility and ingenuity of human staff. Autonomous security report generation, much like gathering extensive battlefield data, is useful at times, but it still requires trained staff to act upon it for the best possible results.
Orchestration makes the most of these human skills by bringing together automated tools and reports to provide risk information exactly when and where it is needed. Incident response is a vital part of system security, and while automation can be extremely useful in targeting individual threats, orchestration provides the tools to enable staff to tackle diverse and ongoing issues.
While proper security orchestration will look different for each organisation, it broadly follows a set pattern. Typically, the tools in use by a business’s IT team gather information about threats and weaknesses, autonomously produce reports and then deliver these reports to security analysts. With the proper information in hand, analysts should then be able to alert the correct people to help stop attacks, take actions to protect data, and inform system users of what actions they need to take in the future.
Oliver Friedrichs, founder of an orchestration startup, describes the approach as "a layer of connective tissue" between technology and security teams, with orchestration tech being able to speed up and improve incident response efforts. Rather than replacing existing staff with entirely automated systems, staff can instead be empowered to make better use of the tech at their disposal.
Friedrichs and others have predicted a rapid expansion in the use of security orchestration in the coming years, particularly following the increase in high-profile cyber attacks that have forced IT teams to look again at their precautions. By making use of security orchestration in your organisation, you can put your IT support staff and security analysts in the best position to help them tackle attacks long into the future.