Tips From the Trenches: Choosing a Security Orchestration Tool

Tips From the Trenches: Choosing a Security Orchestration Tool

Like most of our customers, we here at Code42 are constantly looking to enhance our efficiencies when it comes to security. As we use more technology in our environment, that means more log sources, more events and potentially more alerts. It also means we have more opportunities to gather information from disparate sources and put together a more complete picture of the events we do investigate.

Five ways security orchestration tools can help

To help simplify and automate those activities, we are turning towards security orchestration tools. There are many reasons to invest in an orchestration tool. But for us, the following five items are the most important:

  1. Case management: As our team has grown, delegating work and tracking who is working on what becomes increasingly important. An orchestration tool can ideally function as that single workspace for assigning, managing and closing tasks.
  2. Metrics: Closely related to the first item on our list, better management of workload can improve visibility into key metrics like SLAs, as well as make it easier to identify bottlenecks and improve efficiency in analyst workflows.
  3. Integration: We’re constantly testing and adding new security tools, so it’s critically important that an orchestration tool easily integrates with tools we not only are using now but also may add in the future. The less time we have to spend developing integrations, the more time we have for investigating anomalies.
  4. Automation: Of course, automation is the name of the game when it comes to an orchestration tool. Automation allows our team to dream up new ways to streamline data collection and enrichment. Automation also can find connections that we may miss when manually reviewing data.
  5. Value: Analyst time is always in short supply. When a tool does the first four things on this list well, it means our security team can spend less time on low-value work—and more time on important analysis tasks. The more a tool allows us to focus on analysis, the more value it brings to our team.

A page out of the Code42 security orchestration playbook

The right orchestration tool also will allow us to leverage our own Code42 application in exciting new ways. Here’s just one example from the Code42 orchestration playbook:

  • Step 1 – Automatically locate files: To determine the scope of an event and show us how many endpoints have a suspicious attachment, we can search for a specific MD5 hash using Code42 Forensic File Search.
  • Step 2 – Restore deleted files: In situations in which the original file has already been deleted, Code42 Backup + Restore allows us to automatically restore that file.
  • Step 3 – Investigate suspicious files: With all the suspicious files identified (and restored, if necessary), we can now conduct analysis via an orchestration tool—such as running it in a sandbox. Best of all, because we didn’t spend hours or days manually locating and restoring files, we can focus all our time on the critical analysis.

This really is just the tip of the iceberg when it comes to use cases for security orchestration tools—whether it’s leveraging Code42 functionality or any of our many other security tools. As we continue our investigation into security orchestration tools, we’ll share more useful integrations and some automation playbook ideas.

Stay tuned for more updates—and as always, happy threat hunting!