How security orchestration improves detection and response

How security orchestration improves detection and response

Working together in perfect harmony like the wind and percussion sections of a symphony orchestra requires both rigorous practice and a skilled conductor. Wouldn’t it be great if our cybersecurity solutions did the same to better protect organizations? The methods and tools used to accomplish this are often referred to as security orchestration.

Even though security orchestration may sound like just another buzz-phrase in the infosec world, it’s a worthwhile methodology to explore when multiple security solutions are necessary to protect organizations against threats. So how can organizations determine whether security orchestration is necessary?

Cybersecurity policies and best practices cycle through various pendulum swings as the market shifts. Once upon a time, IT teams were told it was foolish to run two antivirus programs on one machine. However, for years Malwarebytes proved itself to be an excellent wingman to traditional AV programs—that is, until our software demonstrated that its proactive protection technology was just as innovative as its remediation and could stand alone.

In more recent years, IT teams have been urged not to put their eggs all in one basket with a single, large-scale security suite that could also have a single, large-scale point of failure. This philosophy encourages organizations to layer their protection technologies with vendors that specialize in different areas of defense.

But that can get hairy, too, especially if the various security solutions don’t cooperate or cancel each other out. Therefore, security orchestration has taken hold as a methodology that combines top protection capabilities with simplicity for implementation and use. Organizations looking to cut down on confusion and deploy best-in-class security from one platform might consider choosing products from a limited number of vendors that can integrate with one another through security orchestration software.

To further the analogy, then, the conductor is security orchestration software, while the rigorous practice is all the fine-tuning that is often required of IT and operations teams before it all works as desired.

What can security orchestration do for me?

Orchestration in this context implies:

  • Solutions working together without interrupting each other
  • Streamlining workflow processes so that each component does what it does best
  • Unification so that data is exported in a user-friendly and organized manner

Security orchestration is ideally possible even when security software comes from different vendors. However, it often needs to be modified to get the most out of what the solutions have to offer, without one interfering with the effectivity of another.

Security orchestration is often heard in combination with terms such as automated response, which means that the security components work well together and are capable of thwarting low-level threats without human interaction.

In those cases, we can add detection and remediation as tasks that need to be completed in an orchestrated way.

The objectives for security teams to keep in mind are:

  • Clarity and simplicity when reviewing suspicious activity or an active attack
  • The ability to minimize response and dwell time
  • Clear and easy-to-follow rules and protocols in case of an incident

While there are a variety of different use cases for security orchestration, as well as diverse needs to be addressed by different organizations, security orchestration mostly aims to achieve the following goals:

  • A single console showing all endpoints and software
  • Automated incident response
  • Incident response protocols

There are other methods, of course, and what works for one company may not be the perfect solution for another. For example, some organizations may focus on measurements over the long term and will need their information displayed differently from an organization that is only interested in the most recent logs.

Difference between SIEM and SOAR

Terms that are closely-related to the subject of security orchestration are security information and event management (SIEM) and security orchestration, automation, and response (SOAR).

Based on our description of security orchestration above, you may wonder how SIEM and SOAR differ. A SIEM platform gathers and makes a first selection of the data that is brought in by the different security solutions, such as AV, firewall, IPS, or other programs. To assess the data and to decide whether any action is required remains up to the operator(s). The analysts will have a toolset to perform further investigation and undertake action when needed.

A SOAR platform is able to take a few of those steps out of the hands of the operators and analysts. SOAR programs can automatically respond to some of the security alerts raised by the correlated data from the SIEM platform.

Dumbing it down, you could say that a SIEM organizes the data gathered by security solutions and creates reports based on those data. A SOAR can take immediate action against detected threats, reducing dwell time by reducing the necessity for human interference. Typically, large organizations will have both a SIEM and a SOAR, as they are not exclusive.

What do you look for in security orchestration software?

Before investing in security management, consider the important points listed below. They may not apply to every situation, but are worth mulling over nonetheless:

  • Will it scale? If you expect your company to grow, you’ll want your solution to grow along with it.
  • Big logs are time consuming. Does the SIEM or SOAR provide the big picture, while letting you drill down if looking for something specific?
  • Is the platform versatile? How many programs, operating systems, and security software can it handle?
  • Is it compliant with the necessary standards to which you need to adhere?
  • Does it provide adequate response time? Security orchestration should enable teams to respond quickly and contain the threat.
  • Can you view data in real time? You should be able to see what is going on right now, not just what happened yesterday.
  • Are threat analysis and indicators of compromise readily available? In case of trouble, you should be able to compare suspicious activity to known IOCs.
  • Is the platform cloud-based or on premises? SIEM and SOAR in the cloud make it easier to scale and troubleshoot, but some teams prefer having control in their own environment.

All the requirements boil down to a few basics: ease-of-use and quick response. All the extras (and you may be surprised by what some security orchestration programs have to offer) are just that—extra. Nice to have, but useless if they don’t meet the basic requirements.

Less desirable traits

Measurements of the past can give you an idea of what to expect in the future, but that is not helpful if the solution is unable to respond to an unexpected threat. A multitude of logs and ways to present them are a burden if you don’t have the means to make sense of them.

False alarms are a risk with these programs, but you don’t want them to happen all too often. People will grow complacent and ignore alarms if they expect them to be false again. Your SIEM and SOAR platforms should not cry “wolf.”

SIEM and SOAR solutions should not limit your choice of security vendors. Replacing one solution with another is often burden enough. If you have to rearrange your whole setup to accomplish it, the will to do it will quickly diminish. If you have the luxury of starting fresh, make sure to plan ahead.

You don’t want to have to move to a new house just because you bought a new couch, right? You can introduce a new solution or replace an older one without having to re-think all the others. Installing the new solution and some fine tuning should be enough to get everything on track again.

Your operators and analysts are valuable assets, and you don’t want to keep them occupied with routine chores. You want to free them up for the important work that they do best, and automate the rest. If done right, security orchestration can both keep your team happy and your organization safe.

Stay safe and protected.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.