How best to use orchestration and automation in cyber security operations is a question that many CISOs have been asking themselves. But when it comes to orchestration, what difference does it make if you use it with or without intelligence. Are there obvious benefits that we’ve been ignoring for years and how will its adoption change organisations in the long term?
Orchestration informed by security intelligence from within your environment, and threat intelligence from a variety of external sources, is more effective, resilient, and adaptive. An intelligence-led approach will inform your strategy for orchestration in multiple ways. By having intelligence on an adversary’s capabilities, attack patterns, and intent, organisations will be able to build and configure orchestration capabilities to defend networks. Even better, orchestration can be built to be more adaptive to changing adversary capabilities, attack patterns, and infrastructure as both internal security intelligence and external threat intelligence is available.
When using intelligence and orchestration together, situational awareness and historical data can determine when and how a task should be done. Intelligence allows the process to be adaptive to the changing environment. And, using it allows you to strategically plan for a better programme.
Threat Intelligence Deconstructed
Before delving into how orchestration and threat intelligence can be coupled together, it’s vital to know what threat intelligence (TI) actually is. TI can be largely misunderstood as merely referring to Indicators of Compromise (IOCs) delivered via data feeds. These feeds are typically comprised of context-sparse information or data and have their place to support defensive operations, but they are far from a complete and accurate picture of what TI can be. Most IOC feeds are better characterised as information, not intelligence. Intelligence is not raw data and it is not merely information – it is knowledge of threats you can use to inform decisions and possibly allow prediction of future circumstances.
With threat intelligence, you go beyond knowledge to being able to predict where an adversary is likely to attack next. As a result, you can make decisions to defend against or mitigate an attack. So, as you begin to automate your processes, it is essential that you use threat intelligence to drive decisions. Orchestration can continue to block where an adversary has been before but using your threat intel to drive orchestration enables you to determine where the attacker will most likely go next.
The limits to Orchestration
Security orchestration is a coordination of multiple security tasks and decision points into a complex process. It typically involves conditional logic to enable branched processes to connect and integrate multiple security systems, applications, and teams together into streamlined workflows. It also correlates disparate data to help coordinate the right response. As a holistic solution, security orchestration involves people, process, technology, and information.
However, automation and orchestration have their limits when it comes to enabling speed and effectiveness at the same time. While automation can speed up a repetitive process and orchestration can automate decision making, often they can only perform mundane tasks.
Using orchestration to build an effective defence is still dependent on your knowledge of an attacker’s methodology, and your ability to detect or mitigate it. Adversaries are adaptive. If one route to their objective is blocked, they will try others. If narrowly implemented, your orchestrated processes can be circumvented by a clever or persistent adversary.
The perfect combination: Orchestration + Intelligence
Threat intelligence-driven orchestration is the perfect combination if organisations want to become more resilient and adaptive to the ever-changing threat landscape. Threat intelligence is not only adaptive to the changing environment, but it also takes both situational awareness and circumstances into account. As it drives your orchestrated actions, the result can be used to create or enhance existing threat intelligence. Thus, a feedback loop is created. Ultimately, threat intelligence, therefore, drives orchestration and orchestration in turn enhances threat intelligence.
By using one platform that includes both threat intelligence and orchestration, you create a system of insight which can enable organisations to better understand their threat landscape. In particular, the combination will allow organisations to:
Alert, block, and quarantine based on relevant threat intel. Even for lower level tasks like alerting and blocking, having relevant threat intel is important. You can automate detection and prevention tasks and having multi-sourced, validated threat intel can help ensure that you are alerting and blocking in the right areas.
Understand context and improve over time. When you automate tasks based on threat intelligence thresholds such as indicator scores, and memorialise all of that information, you can strategically look at your processes to determine how to improve.
Increase accuracy, confidence, and precision. Situational awareness and historical context is key to decision making. Working directly from threat intelligence allows you to work quicker and prevent attacks before they happen. The more you can automate up front, the more proactive you can be. By eliminating false positives and using validated intelligence you are increasing the accuracy of the actions taken. This accuracy leads to confidence and improves speed and precision.
Adjust processes automatically as information and context changes. Intelligence-driven orchestration is data first, while security orchestration is action first. When your threat intelligence is stored in a data model (with threat scores), you can set your processes to automatically adjust if the threat landscape changes.
By combining orchestration with intelligence, organisations will be able to aggregate and normalise their threat data while simultaneously conducting a deep threat analysis. Ultimately, by using one platform that includes both processes, a system of insights will be created enabling organisations to increase accuracy, confidence and precision in the long term.
Author: Miles Tappin, VP of EMEA at ThreatConnect