Though the Greek philosopher Heraclitus was the first to remark, “the only thing constant is change,” more than 2,000 years ago, it’s an observation that remains true even in modern times. Anyone versed in the technology industry knows this is the rule rather than the exception; and it is particularly valid in cyber security.
New security technologies are introduced at a near constant pace, and then quickly evolve as users adopt them and share feedback to the companies leading product development. As security automation and orchestration (SA&O) is an emerging category, we’re starting to see an evolution in the functions required as well as the users adopting the technology.
As the name certainly suggests, automation and orchestration were foundational capabilities in SA&O platforms from the beginning. Most security teams have Standard Operating Procedures (SOP) that they typically follow in response to a threat, and the SOPs are normally executed in a manual fashion. SA&O platforms invoke “digital playbooks” to automate Standard Operating Procedures at machine speed.
Playbooks commonly align with the procedures representing the greatest pain points in a SOC; procedures that include extensive manual tasks and require working across multiple products. Common playbook automation examples span investigation, enrichment, containment and remediation:
The objective with alert triage is to validate and prioritize incoming alerts. Procedures focus on triaging inbound alerts involve enriching events with additional context. They may also include logic to eliminate high-confidence false positive alerts from further processing.
Incident response procedures can vary greatly depending on the type of incident. For example, responding to a phishing attempt incident is quite different from responding to a successful ransomware attack.