LogRhythm
By Chris Petersen, Chief Product & Technology Officer, Co-Founder, LogRhythm
Security operations (SecOps) teams today are challenged with both getting the right staff and the right amount of staff. Most organizations are now just beginning to shift from a prevention-centric orientation1 to a detection and response-centric orientation. In this process, organizations have to rethink their security strategy. It can take years for an organization to reallocate their staffing mix.
Assuming that companies can reallocate their staff mix and open up positions to support more of the internal SecOps analysts and incident responders, there's also the challenge of being able to find and retain skilled people in a market where there is a profound shortage.
SecOps teams are dealing with serious resource constraints — and at the same time, they are under increasing fire from threat actors.
Companies have invested in a plethora of security technologies, and those technologies raise thousands, if not tens of thousands, of alarms daily. Security teams are left to determine which alarms are real and which are false positives — creating organizational alarm fatigue.
Adding to this fatigue is the fact that analysts must often triage these alarms across five or six products. It's a lot to ask of any team to master six different products. Getting the complete picture requires the analyst to manually pull together different data silos—halting their productivity.
Do More, Faster with Security Automation Orchestration
Security automation and orchestration has become a bit of a buzzword in the security space. SAO helps a SecOps team realize a very quick return on investment by providing technology-and automation-enabled workflows that accelerate threat qualification and investigation capabilities.
Case Management facilities provide a place where analysts and incident responders can quickly and efficiently collaborate. Integrated playbooks provide standard procedures and access to automation within the natural workflow of the SecOps team. These capabilities can increase productivity and ensure threats don't slip through the cracks.
Choosing a SAO Platform
There are a few things you should consider when you are evaluating a SAO platform. First, look for a product with a test harness. Make sure you can test automated actions and scripts before they are implemented in production. Second, look for capabilities such as multi-party approval where actions can only be initiated by multiple people, interdepartmentally.
Because automation affects changes in the IT environment, buy-in from IT stakeholders is critical as the security team is now affecting IT-level changes. Not achieving buy-in from your IT organization will be your biggest SAO adoption risk.
The cost of integration is another important element to consider when selecting a SAO platform. Ultimately, the value that SAO is going to enable and automate will be delivered with data from and through other systems. For a stand-alone SAO solution, events are probably going to be coming from a SIEM.
Ultimately, SAO can help streamline your SecOps' team's ability to detect and respond to threats faster and save your team some sanity in their day-to-day through streamlined workflows and playbooks for automated response actions.
To see LogRhythm SAO in action, watch our on-demand demo!