Understanding your data is the first step in leveling up to automation and orchestration. To be a leader in the next decade, cyber intelligence and security professionals will need to embrace a more data-centric approach to traditional notions of security intelligence with the primary goal being automation to accelerate operational outcomes.
Let’s take a look at typical security stacks, how they work, and why security leaders need to modernize their approach through a data-centric lens.
Detection & Response
Detection and response tools are the foundational layer of any security organization. The detection and response layer includes applications like your SIEM, EDR, Email and network protection tools that ensure teams can prevent, detect and respond to security incidents. These tools often come with their own data models, schemas, and query languages. As programs look to advance and accelerate detection and response operations, they turn to external intelligence sources to provide signal on known bad actors and campaigns and their related TTPs and IOCs.
As the intelligence industry has ballooned, there are many different types of sources a security leader can invest in, such as broad-based sources like VirusTotal and PassiveTotal. There are also more premium-based intel feeds such as IBM X-Force that provide richer intel for their users. Each type provides up-to-date information on network signatures like IPs, domains, and URLs, as well as more nuanced commercial sources that put a premium on tracking threat actor groups, campaigns, and their associated signatures.
Along with commercial intel feeds, ISACs and ISAOs have become popular intel sources in the last 20 years. These are typically organized around specific industries or geographies to provide niche intel to their members. In addition to different specialities, each intelligence source is likely to have their own formats, schemas and query structure.
As investment in intelligence sources proliferated in the 2010s, Threat Intel Platforms emerged as a commercial alternative to open source ones like Malware Information Sharing Platforms (MISP) to help aggregate these sources. Rather than address the fundamental data normalization and integration challenges required to properly prepare and connect intel across operational tools, the first-gen TIPs like Anomali and ThreatConnect built application-centric business models around user-licenses and invested heavily in complex user interfaces that limited their use and value to an emerging class of Cyber Threat Intel professionals. As a result, instead of creating connective tissue across intelligence and security operations, they created yet another silo.
The concept of SOAR, or Security Orchestration, Automation, and Response, was first introduced by Gartner in late 2018 when they realized the shortcomings legacy TIPs had in accelerating automation. Because this market category is relatively new, we’re witnessing a knee-jerk reaction from the industry. Suddenly, everyone is a SOAR platform, but there are many interpretations of what this actually means. The concept of SOAR has led to much market consolidation as well. In the last two years, we’ve seen Palo Alto Networks acquire Demisto and Splunk acquire Phantom for their Orchestration power. For the purpose of this paper, we will define SOAR as the tools you use to construct and execute automated processes. This includes Orchestration and Case Management tools.
So, Why Isn’t It Just...Working?
SOAR continues to live on in a new class of stand-alone process automation tools and in the emerging capabilities of lighthouse detection and response apps. But, with all this activity, why are +70% of security leaders with growing budgets still struggling with data silos, fragmentation, and a lack of progress in automation? Why are other industries able to advance automation at light-speed and security is still stuck?
The Cloud Security Alliance’s Secure Intelligent Ecosystems white paper describes the challenge of normalizing and transforming data from siloed security tools and disparate intel sources as the “Valley of Death” and the ultimate blocker of achieving automation.
As the CSA Working Group has identified, the common misstep here in security on the road to automation has nothing to do with investment in intel sources or more/better detection/response and SOAR tools. The path to break through this ‘Valley of Death’ and the obstacles posed by McComb’s ‘Integration Debt’ necessitates adoption of a data-centric vs. app-centric view of managing intelligence for the purpose of automation.
Only when we embrace a data-centric approach to security can we truly automate and augment workflows and security stacks. To learn more about adopting data-centric security automation, read our full white paper here.