Evolving to Next-Generation Security Orchestration and VisibilityCisco's Vishak Raman on Automation and Orchestration
Because traditional tools are not helping in detecting threats or reducing noise, the need of the hour is an unified threat dashboard, says Vishak Raman, director of security business for India and SAARC at Cisco.
See Also: CISO Coffee Talks: Visibility
"You need to dipstick with your organization's IoCs and mash it up with global threat intelligence, and also look at the different attack vectors," Raman in an interview with Information Security Media Group. "I see email; I see web. How do I connect the dots? Today, organizations don't have a single console to mash those up."
Raman suggests that organizations consider deploying next-generation networks and visibility tools. "That's something which is important for organizations to improve their visibility. It starts with reviewing very basic segmentation policy and implementing 'first line of defense' tools that can scale, including for cloud security platforms."
In this interview with Information Security Media Group (see edited transcript below), Raman also discusses:
- Whether effective threat-hunting capabilities be achieved using existing tools;
- The key orchestration challenges;
- How to measure and benchmark orchestration success.
Raman has over 20 years of experience in information security services, with stints in product management, sales, marketing and business development. Before joining Cisco, he was the senior regional director, India and SAARC, at FireEye, and the global head of content delivery network and managed security services at Tata communications.
Relevance of SOAR
VARUN HARAN: Why is security orchestration, automation and response, or SOAR, and visibility, so critical in today's environment?
VISHAK RAMAN: As you know, the number of devices in the organization has multiplied. As a roaming employee, I used to carry one laptop; now I have five different devices that connect back to the corporate network. I carry a laptop, an iPad, a mobile and an internet dongle. The number of devices in the organization have grown at least four to five times, and we have seen unprecedented growth in terms of device proliferation within large organizations.
A second part of this is devices are getting a lot more intelligent. And anything that has a memory and a kernel to run is hackable. So, you need better visibility of what these devices are doing and what damage they can cause. Also, you need to know how to go about detecting those malicious devices and how to handle remediation and quarantining. A lot of automation is needed to achieve this.
That's the genesis of handling this complexity because each and every device is going to give a different alerting mechanism. The number of alerts is going up because the devices are going up. And as the devices are going up, their vulnerability gets increased. However, the resources available from a traditional incident response perspective remain finite. In a single day, what an L2 SOC analyst can see is completely finite: You cannot see 100 alerts and then go investigate them with four people. You need a huge piece of automation to actually have better visibility and orchestration around it.
HARAN: The need for automation and orchestration is clearly felt. Where do you feel organizations are falling short in the approach?
RAMAN: The real problem is to find that one valid, true positive and removing those hundreds of false positive alerts, which is like searching a needle in a haystack, and then make sure the remediation is applied to that. Reducing the noise and finding that real threat is becoming a problem, and I see the traditional SIEM tools adding more complexity - it's like a blinking Christmas tree all over the place but not helping organizations to actually automate security.
The traditional tools which have been there for a long time are actually not helping. In addition, you need a kind of a "Google search" for threats as well, where an organization can search for and look at indicators of compromise in their environment and then say, "Hey, I've seen this behavior, this IOC or this SHA value - I have seen it in this part of the globe. And this is where the threat actually emerges from."
There is no single dashboard because SIEM is just blinking like a Christmas tree, and there is no automated orchestration tool to give one single threat dashboard because we've got different consoles of detections, but there is no correlation and there's no searching and matching with global threat intelligence.
This is where organizations are falling short in their approach to automation and orchestration. You need to have a unified threat dashboard. You need to dipstick with your organization's IOC and mash it up with global threat intelligence, and also look at the different attack vectors. I see email; I see web. How do I connect the dots? Today, organizations don't have a single console to mash those up.
This is where the security complexity actually happens, because the threat vector is multivector and there is no single dashboard around it. And second, there is no global threat intelligence fed into an organization where they can match up different indicators of compromise and whether that is that being reflected in any other parts of the globe. Because attacks are not local; attacks are global. And you need to know what the TTPs of the global threat intelligence are and thread to your product. And the product needs to be intelligent enough to give you that hunting capability. This is where automation and orchestration are failing.
Fighting the Visibility Challenge
HARAN: So what can be done to tackle the visibility challenge in organizations today?
RAMAN: This is pretty basic. First, improve the visibility of what can be detected.
Let's say an organization has a router and a switch. How do you get visibility on your net flow details and baseline the net flow activity in such a way that you can really look at what is normal behavior and what is abnormal behavior? What is a week-end or a month-end invoicing spike, or is this this data exfiltration? Do you have that visibility?
It starts from basics, like what is happening on your endpoint. It starts with getting visibility of the endpoint. It starts with getting visibility of the network using net flows and a protocol like DNS.
You should start looking at visibility around all the contexts: network, endpoint, DNS, email, web and, most importantly today, the hybrid cloud: How do you improve visibility for hybrid cloud? Because today, workloads are no longer just on the premises.
The challenge of visibility is not just the attack vectors; hybrid cloud brings in an additional challenge of how do I know what's happening to my workload and who is accessing it? Is there a data loss prevention system that is actually working? What is happening on my user behavior in the hybrid cloud? Visibility is a far more important challenge, and all of it needs to connect for better visibility.
HARAN: Now that you have defined automation, orchestration and visibility and the need for it, what are some practical steps organizations can take when they're looking at evolving to this next-generation posture?
RAMAN: Look at deploying next-generation networks and visibility tools. That's something which is important for organizations to improve their visibility. It starts with reviewing very basic segmentation policy and implementing "first line of defense" tools that can scale, including cloud security platforms. Also, look at next-generation EDR monitoring tools and how do you contain a break from one segment to another segment whereby the lateral movement is arrested. And of course, how often do you do security policy review?
And most important is access to global threat intelligence. Does the product that I'm buying have better threat efficacy and have a better feed of global threat intelligence? Does it have a sample size which would help me to get my indicators of compromise within my global threat intelligence? This is where the journey of getting higher visibility and automation is leading.
HARAN: To conclude, what innovations in orchestration and automation are you looking forward to?
RAMAN: The biggest one is: How do you enable threat hunting capability back to your existing setup? I bought a network security product. I bought an email security product. I bought an endpoint. I bought a DNS security. I bought a web proxy solution. How do we get my threat-ending capability without spending a huge amount of money, whereby I can have an integrated view of my threat dashboard?
Organizations are looking for innovations for simplifying their security infrastructure, and they want to get more value out of the disparate investments, which they have made for many years. People don't just want to buy the next cool thing; they're clearly looking at how to solve visibility and control challenges with existing infrastructure. Because these infrastructures are being built over a period of time. And that's where I think organizations are making a mad rush towards API-driven security. How do I build more open APIs and make sure I am leveraging the existing infrastructure and not waiting for the next cool tool to come around? This is where I see the market is moving.