Orchestration is a popular buzzword in cyber security today. Like many buzzwords, there are often multiple definitions of the term out there and it can be overused at times. However, the reality of things is that in order to be in the best position to reduce adversary dwell time in your environment, you have to enable distributed teams to collaborate effectively and therefore have some form of “orchestration” in place. Orchestration is the junction where people, process and technology come together.
In order to be effective, you need to be able to bring multiple capabilities together in a timely fashion, namely:
Expertise – Expertise is who will evaluate event data and prove it to be true or not. Expertise may come from multiple teams internal or external to the organization.
Contextual, Relevant, and Timely Data – Contextual and relevant data, is data that has meaning, it has context as it relates to your organization. In optimum forms it also promotes causality versus correlative. While correlative certainly has usefulness, to truly forecast impact, causal data carries more weight. Additionally, data value has a shelf life and the more time that passes, the value of that data will likely diminish.
Automation – While automation is good it only solves a part of the problem. The goal of any automation should be to enable a human being to make better, more informed decisions. As an example, let’s look at DOD-centric process, the OODA Loop, which stands for Observe, Orient, Decide and Act. In simple terms the OODA loop is a learning system, a method for dealing with uncertainty, with a focus for winning head-to-head contests and competitions. The OODA loop helps you make “Maneuver” decisions and take action. With good automation, you start to compress the “Orient & Decide” steps of the process.
In their recent 2019 Incident Response Survey, the SANS Institute highlights the need for better “orchestration” amongst teams, with a particular mention that time and resources being the largest barrier to success. The survey makes the following statement:
“..we’d ideally want to see IR and SOC in heavy communication, with cross-training and integration. Because these two teams form a strong methodology to threat detection, response and remediation, it is necessary that they are in constant contact…. Fortunately, approximately 65% of respondents indicated that their biggest hurdle right now is time and resources, not money. Granted, budget takes a close second at 51%”
Although organizations realize that they need better orchestration and communication across their team, enabling it in many cases is easier said than done. It often requires a lot of work to get to the point of making things easier.
How can you improve orchestration in your organization?
As with any kind of change, we have to start by looking at what we’re currently doing and whether or not it works effectively. Here are some questions to consider when evaluating how orchestration happens in your current program:
- How do your teams collaborate? Are collaboration communications separate from the data under discussion? Do they find that they have to export the data in question into multiple formats and email it around, copy it into tickets, or throw it on share drives in spreadsheets? Is email being used for “Orchestration”? When’s the last time you have evaluated how it really is happening?
- How do you collaborate externally? How do you bring in that outside expertise? Is that typically expensive outside expertise forced to travel to your location and consume data that’s in disparate formats and locations and thus increasing your cost? Are you sending sensitive data outbound and/or giving access to sensitive applications and being supported from a distance? Are they seeing what they need to see and only what they need to see?
- When post event analysis occurs (aka after action reporting) do you find that the results of that event and relevant data is stored in document and/or PDF format never to be seen again? How do you know that a past event is not reoccurring? Your team spends an awful lot of time evaluating what is true and what is not giving valuable insight into how well positioned you are. How are you retaining and reusing this valuable insight?
If you are finding that the answers to these questions are telling you that you have a lot of work to do, you are certainly not alone as the SANS survey points out. We all start somewhere and fortunately, new platforms like Avalon were built for this very purpose – optimizing analyst time and resources supporting the organization in making decisions and taking action.
How can Avalon help?
As mentioned earlier It’s all about reducing adversary dwell time in your environment. The faster you get contextual and relevant data in front of expertise, the faster they can prove an event to be true or not. The faster the expertise can prove an event true or not the faster the organization as whole can make decisions and take action against that event.
Avalon enables orchestration to happen without placing any burden on the organization in the form of heavy integration and tuning. With the platform being designed by analysts for analysts, it is built with their desires in mind. Analysts can easily create a workspace that pulls together relevant event data alongside collaboration tools. With this capability the organization can then invite internal and external expertise into the workspace to evaluate the situation at hand. Data and information can be evaluated, measured, ruled in our out, enriched, shared, collaborated on, visualized, integrated, reused, and preserved.