How security automation, orchestration and response platforms can open the door for improved collaboration
Cody Cornell, CEO, Swimlane
Cyber threats are advancing every day, and in order to keep up with the rapid proliferation of digital dangers, cybersecurity professionals need to work collectively to raise the barrier to entry and stay ahead of increasingly sophisticated bad actors. As mentioned in my previous article, no one can build perfect, impenetrable security, but collaboration can empower our collective security operations centers (SOCs). Let’s take proactive protection and threat hunting to the next level and optimize the entire industry’s security posture.
Too Many Tools, Not Enough Time
Disparate security teams around the globe are investing time and resources to devise countermeasures and workflows to defend against evolving, but similar, threats. In many cases, they operate in silos and duplicate efforts completing similar investigations, workflows and incident responses. Consequently, security operations (SecOps) resources are wasted as the overburdened and understaffed security industry isn’t able to hire talent fast enough. Compounding the issue, the industry anticipates a shortage of 3.5 million security jobs by 2021, which means SOCs are forced to do more with less.
In many of today’s environments, IT and security teams integrate a multitude of tools and various security solutions to shield their infrastructure and most critical data from cyberattacks. Whether it’s access control and endpoint protection or monitoring and incident response, too many organizations have deployed disparate solutions in different areas of the networked ecosystem that require individual management instead of integrated solutions. As a result, ensuring every component of a security system works together in an efficient manner to protect against cyberattacks is challenging, and any fracture in the infrastructure leaves the organization vulnerable to bad actors.
Because many organizations lack the resources and security staff needed to handle the ever-growing number of alerts, many threats go uninvestigated. And in the time it takes for security teams to pour over all of the data manually, a breach could have already occurred.
Limited Information Sharing and Collaboration
To combat this difficulty, a number of organizations have agreed to collaborate, sharing in-depth investigations, hunts or mitigations in real time with other organizations—sharing how to identify cyberattacks and potential bad actors and remediate alerts. Armed with the resources to prevent breaches and hunt for other threats while bolstering the security industry as a whole, many industry experts see collaboration as the future of security.
But today, organizations are often hesitant to share information that organizations think adversaries might be able to use against them. Consequently, security information sharing is limited to indicators of compromise (IOCs) such as IP addresses, file hashes, email addresses, a domain or a URL. This type of sharing often occurs in Information Sharing and Analysis Centers (ISACs) that collaborate with each other via the National Council of ISACs (NCI), arming organizations with robust information that focuses on threat detection based on basic, preventive capabilities.
But now, it’s time to take security collaboration beyond ISACs and IOCs and level-up.
Move Beyond the What to Focus On the How
To transform cybersecurity from a source of consternation into an opportunity, everyone in the industry, not just collaborative SOCs and ISACs, must work together to share intelligence, best practices and lessons learned amongst a network of trusted peers.
When SOCs collaborate across industries, it opens the door for information sharing that goes beyond how to identify and solve against cyberattacks to collectively embrace common standards and protocols to achieve more comprehensive and resilient cybersecurity. Essentially, it’s time to move beyond the what of threat detection and remediation and focus on the how. Rather than simply sharing information about IOCs, cybersecurity professionals should be sharing techniques for not only detecting potentially malicious behavior, but how to effectively respond and mitigate when malicious behavior is seen.
Information gleaned from IOCs is valuable, but even more valuable are the techniques used for detecting potentially malicious behavior. While more challenging, effective threat hunting should focus on behaviors instead of specific data points because data points can change rapidly. Once an analyst shares the operational mechanisms in place to address the potentially malicious behavior, the entire security industry can leverage that information to monitor and respond to attacks.
Security operations centers need to be sharing playbooks and processes with each other to reveal the behaviors of bad actors. That is why, Swimlane, hosts SecOps Hub, a community of security professionals available to discuss SecOps strategies, incident response best practices and ways to simplify tasks and processes with security orchestration, automation and response (SOAR). And while we’re the proud host of this security hive mind, SecOps Hub is a vendor-neutral, open forum for all security professionals.
Additionally, we recently launched “Hands-Free Security,” a podcast series convening industry thought leaders and subject matter experts to discuss SecOps strategies and how SOAR can help, to further improve collaboration across SOCs and across industries. The ongoing series offers listeners automation use cases, information on emerging technologies and industry insights to help deal with the sheer volume of security alerts and growing portfolios of security solutions.
Beyond sharing information, security communities should also consider collaborating on research to better identify and counter specific threats. Increased collaboration could optimize data protection, taking threat hunting and breach prevention to the next level.
SOAR Opens the Door for Improved Collaboration
As automation increasingly becomes a critical component of a robust cybersecurity program, many SOCs are looking to streamline their processes with automated technologies. Adversaries are developing and deploying automated attacks, and the best way to fight automation is with automation.
Automation technologies are making a significant impact due to the increased operational effectiveness they drive within an organization’s SOC. When seamlessly integrated with an organization’s people, processes and technologies, automation can help prevent successful cyberattacks while encouraging collaboration across security silos. Automation drives rapid decision-making and ensures manual mistakes aren’t made and threats aren’t missed.
SOAR technologies create a more streamlined method for detecting and responding to cyber threats while simultaneously enhancing collaboration. At Swimlane, our SOAR platform centralizes security operations by orchestrating incident response playbooks and workflows across multiple specialized security tools and related infrastructure. This enables SecOps teams to automate operational tasks and existing alert responses by modeling and orchestrating the workflow steps tied to virtually any use case.
We take the building blocks and elements of your security infrastructure that actually matter to how to respond and make them easy to share. By automating and orchestrating time-consuming and repetitive tasks such as creating reports, logging into multiple systems or entering incident information, SOAR significantly speeds up threat management and incident response processes.
Swimlane is a single collaborative environment that fuses together threat data, evidence and users so that all stakeholders involved in the investigation process can collaborate and share information. The platform gives security teams access to easy-to-use, out-of-the-box security content modules called “Applets” that can be rapidly deployed to address a broad range of incident response use cases.
In addition, individual Applets can be developed to map any process, technology and/or playbook component, and they are easy to mix, match and customize. Even better, Applets can be shared within an organization or amongst a trusted peer community using Swimlane’s AppHub, a collaborative open marketplace.
Given the impending dearth of qualified cybersecurity professionals, SOAR is now more vital than ever before. When SOCs work together to secure the world’s most sensitive data, they leverage shared resources and combined skills and expertise to increase the effectiveness of collective SOCs.
In the end, collaboration can help organizations across industries conserve security resources, which is both good for the bottom line and their overall security posture. Not only do SOAR technologies significantly speed time to resolution, but they also free up security teams to focus on more complicated and critical issues that require thoughtful solutions.
Data breaches are not going away, and as the threat landscape continues to grow and evolve, duplicating efforts will only become more costly and exhausting. Effective collaboration in addition to automation and orchestration can solve these problems. Swimlane’s approach harnesses the wisdom of the entire SecOps community and allows teams to build and share security response workflows that embody best practices.
About the Author
Cody Cornell, Co-founder and CEO, Swimlane
A respected authority on cybersecurity, Cody is responsible for the strategic direction of Swimlane and the development of its security automation and orchestration solution. His passion for open exchange of security information and deep vendor integration drives him to pursue opportunities to maximize the value his customers receive from their investments in security operations. Collaborating with industry-leading technology vendors, Cody works to identify opportunities to streamline and automate security activities that speed cyber response and enable security orchestration.
In 2011, Cody co-founded Phoenix Data Security Inc., a cybersecurity professional services organization known for their ability to blend strategy and engineering with an organization’s business requirements. After beginning his career in the U.S. Coast Guard, Cody spent 15 years in IT and security, including roles with the U.S. Defense Information Systems Agency, Department of Homeland Security, American Express and IBM Global Business Services.
Cody is a frequent presenter on information security at forums such as the Secret Service Electronic Crimes Task Force, the DHS Security Subcommittee on Privacy and National Public Radio (NPR). Link up with Cody here at LinkedIn.