If government IT and security teams appear to be in a perpetual state of stress these days, it’s understandable: They’re under constant pressure to defend an ever-expanding attack surface as created by the cloud, mobility/Bring Your Own Device (BYOD), the Internet of Things (IoT) and other trends and innovations. At the same time, cyber adversaries keep coming up with “new tricks” to compromise data, devices and systems with more volume and velocity. And it doesn’t help that agencies must effectively respond to all of this while dealing with limited available budgeting and personnel.
Indeed, the cybersecurity environment has shifted dramatically in recent years, and that means yesterday’s tools and approaches – especially those which rely upon manual and/or siloed processes – will no longer suffice. In seeking new strategies and solutions to successfully address modern challenges, teams are increasingly turning to what’s known as “security orchestration.”
Security orchestration is about integrating and automating the entire cybersecurity ecosystem of enforcement and information-gathering products, so IT teams can protect networks, systems and devices with unified, holistic visibility. It often incorporates advancements in automation, artificial intelligence (AI) and machine learning (ML) as part of its solution portfolio and strategic execution plan.
Investment in this approach is producing tangible, bottom line-impacting results: Three of five IT and cybersecurity professionals feel that an executed orchestration strategy (one which includes automation, ML and AI) strengthens their cyber resilience, according to research from the Ponemon Institute and IBM. Orchestrated incident responses can save organizations an average of $1.5 million in data breach costs. Within the federal government, orchestration has reduced the time required for cloud service providers to achieve FedRAMP “authority to operate” from 12 to 18 months to as little as six months.
That said, the adoption of these tools and practices remains somewhat tentative: Just one-fifth of organizations are “extensively” deploying technologies for security orchestration, but two-fifths are doing so on a limited basis, according to research from Enterprise Strategy Group (ESG). This is generally consistent with a forecast from Gartner indicating that, by the end of 2020, three of ten organizations with a security team larger than five people will leverage what are known as security orchestration, automation and response (SOAR) tools.
As for the intended outcomes of orchestration, 35 percent of IT and cybersecurity professionals would like to integrate external threat intelligence with internal security data collection and analysis; 30 percent want to expand the functionality of existing tools; 29 percent hope to automate basic remediation tasks; and 28 percent would seek to correlate and contextualize data from two or more tools, according to the ESG research.
Clearly, the potential benefits are immense for government customers. But agency IT/security team leaders may face pushback in getting approval for implementation. With this in mind, here are four likely, tough questions they’ll encounter along the way from budget decision-makers and other key influencers – and how they can effectively respond in making the case for orchestration:
The question: I have no idea what orchestration is… There are so many tech buzzwords out there. Isn’t this just another one of them?
The response: Yes, there are plenty of tech buzzwords. But “cloud” was once considered a buzzword too, and now enterprises universally deploy the cloud. Similarly, we expect orchestration to distinguish its value from the other heavily promoted tools and approaches and emerge as a mainstream, widely adopted strategy. Through pilot programs and testing, we can demonstrate how it enables our security teams to “see” – within a single point of view – all of the activity-impacting devices, networks and data, and then immediately resolve the biggest and most potentially damaging threats first.
The question: Like every agency in the federal government, we’re struggling with budget constraints. How can you justify this investment?
The response: Orchestration is all about cost savings, i.e. “doing more with less.” The automation, AI and ML core components greatly boost efficiencies, and free up thinly stretched, frazzled IT/security team members from tedious, time-consuming manual processes. This means we will not only work “smarter, not harder,” but we will improve retention levels, which is badly needed: One-quarter of security employees and managers leave their jobs within two years, and two-thirds leave within four years.
The question: We need to see some use cases in the federal space before we can justify anything like this. What do you have for us to look at?
The response: Even if the term, “orchestration,” isn’t used, it’s clear that there have been major government projects which are leveraging its core components. The Department of Homeland Security’s “EINSTEIN,” for example, is a cyberattack detection and blocking system which uses the situational awareness gained from one agency’s threat information to inform and defend other agencies governmentwide. Through its “AI Next” campaign, the Defense Advanced Research Projects Agency (DARPA) is investing $2 billion to automate critical Department of Defense (DoD) business processes, including the real-time analysis of sophisticated cyberattacks. To establish standardized security approaches in the cloud, the Federal Risk and Authorization Management Program (FedRAMP) and National Institute of Standards and Technology (NIST) programs promote security standards, when establishing increased automation and near real-time data for continuous monitoring solutions.
As these use cases report positive qualitative and quantitative results, we fully expect to see more agencies moving forward with additional significant projects.
The question: How are we supposed to implement all of this? We do not have the required expertise and skills in house.
The response: There are qualified security companies out there that can help us complete implementation. We must be careful, however, to avoid “one-size-fits-all” vendors who do not have government experience. These vendors may say, “All orchestration initiatives are the same, whether for a federal customer or a business.” But this is not true. That’s why we should limit candidates to those with not only solid orchestration credentialing, but a proven track record of working with agencies like ours. The winning candidate should command an in-depth understanding of our specific IT environment, mission, goals and challenges.
When it comes to the modern attack surface, we can’t put the genie back in the bottle. Agencies will continue to invest in mobility, the cloud, IoT and other innovations, and subsequently increase their risk of exposure. But by transforming all of the cybersecurity ecosystem “parts” into an entirely integrated “whole” – with a single view of everything, and automated threat intelligence and response – federal IT/cybersecurity teams can greatly diminish the potential for compromises, no matter what kind of “new tricks” the bad guys have in store. That should go a long way in reducing stress for those team members – and everyone else.
Robert Schofield is director of Enterprise Solutions for NetCentrics.