Automation and orchestration are central to the proverbial cyber security dance between IT operations and security operations center (SOC). Both functions need to work with each other and establish a rhythm and alignment to keep their organization protected from cyber threats. The lure to automate is driven by the desire to remove tedious and repetitive tasks and allow for more strategic efforts. Orchestration is bringing technologies (security and non-security) to coordinate and work together. Both ignite the dance to stomp out cyber attacks.
A misconception is that automation means replacing human work, but it’s quite the opposite. Instead, organizations using automation for cyber security have more staffing (2019 SANS Automation & Integration Survey). This suggests the human eye and intervention is still needed today to address core cyber security functions.
The impact automation is having on cybersecurity offers a perfect stage for IT operations and security operations to “tango”. Automation is a series of sequential tasks setting the groundwork for orchestration of functions working together. A common use case is identifying a threat, triggering more investigation, while quarantining the device. It doesn’t really matter which security framework you use to assess what can be automated and orchestrated. Let’s talk about the top three requirements for automation that align with the steps called in NIST’s Cyber Security Framework. These steps are designed to increase speed and productivity to quickly and effectively resolve the attack.
Abbreviated NIST Cyber Security Framework (CSF)
SANS also weighed on the risk of automation. Beyond the obvious risk of not having budget and resources there is dependency on other IT operations processes and tools that can impede key processes and there is lack of integration standards across tools (e.g., ability to interface systems, correlate data.) This lack of integration concern can be dismissed on a couple of fronts. Namely, security tools with necessary integrations such as a Security Orchestration Automation Response (SOAR) tool that stitches security tools for distinct use case or “play”, and/ or a security platform that integrates tools. Both approaches assert and empower cybersecurity teams to provide a highly effective united front—or dance to win against the adversaries.
McAfee delivers both approaches. McAfee ePO is the highly acclaimed centralized management solution. It is the key reason customers choose and stay with McAfee. McAfee ePO provides a central hub and common view for IT operations to enforce and protect while offering the SOC to investigate, triage and assess threats. It also offers automation of functions including identifying devices out of compliance, updating policy, identifying known threats, and quarantining a device. In addition, there are SOAR players that plug into the McAfee ecosystem for more advanced plays.
I had a chance to catch up with McAfee’s new Vice President on Platform Technologies on this topic and uncovered some new news from McAfee.
“ePO is core to removing complexity from cybersecurity by offering common access point to many security functions from McAfee or third-party providers. It is pivotal to McAfee’s integrated platform approach anchored by ePolicy Orchestrator (ePO) for central administration and context-aware operations with the Data Exchange Layer (DXL) for communication,” states Lana Knop, VP Platform Technologies. “This is the reason I came to McAfee. To deliver and build on the promise of Together is Power. We are happy to announce we will have a SOC option in MVISION ePO – our first SOAR offering is with Siemplify.”
To embolden this cybersecurity dance, MVISION ePO (the cloud-based ePO) has made available a SOC tab in the console that makes the first SOAR offering, Siemplify, easily available. This allows MVISION ePO customers an option to leverage SOAR capabilities anytime. You can imagine the range of SOC capabilities that McAfee and 3rd party could bring.
Here is a use case that was spoken to at RSA 2020 for an Unknown File Execution. It shows how the solutions are working together from detection to investigation and response.
Here is your chance to construct your own “line dance” on an advanced integrated platform to accelerate your cybersecurity defenses!