Automation and Orchestration (OBJ 4.7)

Automation

• Automatic execution of tasks without manual intervention
• Purpose
  • Consistency, efficiency, reduction of human error on complex tasks
• Example
  • Scripting repetitive tasks

Orchestration

• Coordinated execution of multiple automated tasks for a specific outcome or workflow
• Purpose
  • Ensures tasks work together harmoniously
• Example
  • Sequencing tasks in incident response

SOAR (Security Orchestration, Automation, and Response)

• Class of security tools for incident response, threat hunting, and security configurations
• Purpose
  • Orchestrate and automate runbooks, deliver data enrichment
• Example
  • Integrating SIEM and SOAR for advanced security capabilities
  • Integrates with SIEM and creates a next-generation SIEM
• SOAR's automation capabilities make it serve in incident response primarily
• Will give you the ability to scan security and threat data to be able to identify different things. You can then analyze it using Machine Learning, and then you can also automate the process of doing data enrichment to make sure that data inside SIEM is even more powerful for your analysts to use.
• Incident response may be performed immediately to provision resources

Playbook

• Checklist of actions for detecting and responding to a specific incident
• Role
  • Guides incident response processes
• Example
  • Steps for responding to a phishing campaign
  • Somebody clicking on a link in a phishing campaign, you might have steps one through five which says
    • "Go to the machine"
    • "Isolate it from he network"
    • "Do a virus scan to make sure they haven't infected themselves or anyone else"
    • "Check registry to make sure there's nothing in there for persistance"
    • "Back up all the user data"
    • "Re-install image and put data back on it"

Runbook

• Automated version of a playbook with defined interaction points for human analysis
• Role
  • Executes automated tasks with human decision points
• Example
  • Automated incident response with analyst decision points
  • Includes pauses for analysts to interact

Benefits of Automation and Orchestration

• Efficiency
  • Time-saving and consistent execution
• Standardization
  • Enforces baselines and standardized configurations
• Scalability
  • Scales securely and efficiently
• Employee Retention
  • Reduces repetitive tasks
• Reaction Time
  • Faster responses to incidents
• Workforce Multiplier
  • Maximizes human resources