Terry Sweeney - Contributing Editor, Dark Reading
Sanjay Ramnath - Associate Vice President, Product Marketing, AT&T Cybersecurity
Terry Sweeney: Welcome back to the Dark Reading News Desk. We’re here at the RSA Conference in San Francisco. I’m Terry Sweeney, contributing editor at Dark Reading and I’m delighted today to be joined by Sanjay Ramnath, vice president of product marketing at AT&T Cybersecurity. Sanjay, thanks so much for joining us today.
Sanjay Ramnath: Thanks so much for having me.
Terry Sweeney: This trend of SOAR, security orchestration automation and response is generating lots of buzz both here at RSA and among InfoSec professionals as well. Kick us off by explaining what SOAR is and how the companies that use it benefit from it.
Sanjay Ramnath: SOAR is a term that was coined by Gartner. SOAR is really a collection of technologies and processes that aim to solve three problems.
I think the first problem that the SOAR framework aims to solve is: How do you stay ahead of this constantly evolving threat landscape? How do you stay ahead of a rapidly changing network while the modern attack surface continues to expand and network parameters vanish? You have hybrid environments with on-premises and cloud assets. So one of the core tenants of SOAR is aggregating data, aggregating both threat data and intelligence and also network visibility on a single platform so all the downstream operational decisions around security can be fed with this stream of intelligence and data.
The second problem that SOAR addresses is complexity in the security ecosystem and infrastructure itself. When you have a really large number of point solutions and products that protect specific threat vectors you have two issues. One is you have a management problem: how do you constantly switch contexts across these different solutions? You also have a problem of too much data and what is called alert fatigue. The SOAR approach attempts to solve this by automating some of the more mundane resource intensive, human intensive, tasks like data analysis and correlation so the security operations teams can be a lot more effective and they don’t get distracted by the noise. They actually focus on what’s important.
The third thing that SOAR addresses is incident response. What do you do when an incident happens? What do you do when your network is intruded upon? Do you have the right processes? Do you have the right workflows in place? Do you have the right data for investigations? SOAR brings all of these together. So SOAR is not a single technology or a single product, it’s really a concept or a framework that brings detection, automation, response, orchestration, intelligence and all of that all together under a common set of terminologies.
Terry Sweeney: That’s really helpful and I’m glad you mention automation. It seems like given the volumes of information that have to be analyzed, this is an essential piece of SOAR. Talk a bit more about why it’s critical to have in combating today’s security issues.
Sanjay Ramnath: You’re never going to have enough resources, bandwidth, and skills in security to stay ahead of the cyber criminals and threat landscape. So I think applying automation where it makes sense really helps streamline security operation. As I mentioned earlier, applying automation in terms of taking this really vast amount of data, threat data and converting that into actionable, tactical threat intelligence is the place where techniques and learning can really help. Automation is not the be-all and end-all to everything but it can definitely make the human components more efficient. So if you have human researchers feeding them a curated set of data that is run through some automated algorithms makes their jobs a lot easier. Similar to the operations side, once you have visibility into your network, once you have the threat intelligence, the process of correlating that, the process of actually making that data and converting it into alerts, of making that data so that your human element, the security practitioners, can quickly take action against the data, automation can help there as well. So rather than trying to wade through the data itself they can focus on the outcome, and they can focus on the response and actions. Then last but not least, in terms of responding to the breaches, responding to incidents, that’s another place automation can help, so the low-hanging fruit, if you will. If you can automate the response actions around that, your human capital, your human resources are free to go address the much bigger problems, where they really have to apply their expertise.
Terry Sweeney: That makes total sense, thanks. So, security information event management, or SIEM and SOAR – these two acronyms often get used interchangeably which isn’t completely accurate. Talk about about how SIEM and SOAR are different.
Sanjay Ramnath: SIEM is about collecting data and providing a set of tools to manipulate and act on the data. SOAR is about taking SIEM but then also adding the right processes, the right incident response mechanisms, so you can do more with the data. SOAR is a superset in a sense. What you consider SIEM and log management, data management is part of the value chain that SOAR attempts to address.
Terry Sweeney: Talk a bit about how AT&T Cybersecurity has applied SOAR principles to the products and services that it offers.
Sanjay Ramnath: Sure. So AT&T Cybersecurity’s value proposition is three-fold.
The first pillar to our value proposition is this concept of threat intelligence, phenomenal threat intelligence as we call it. And they way we drive that is through Alien Labs. We gather threat data from a number of different sources. We have one of the world’s largest crowd-sourced threat intelligence, threat data portals, it’s called Open Threat Exchange. We have the massive visibility and scale of the AT&T network infrastructure itself, and we have a team of researchers, and automation and machine learning, where we can take this really large canvas of diverse data across a number of vectors and convert that into very actionable, tactical threat intelligence. Then we feed that threat intelligence into our platforms, into our security operations teams. So that’s the first tenant. And as I mentioned, a big part of SOAR is automating the process of gathering threat data and converting that threat data into threat intelligence. So it’s a core part of what we provide.
The second pillar to our value proposition is this concept of collaborative defense. One of the founding principles for AT&T Cybersecurity is that no single security vendor or no single organization can fight cyber crime on their own. It’s a collective effort. So we’ve invested in bringing together, in integrating best-of-breed solutions, but then adding the right layer of services, consulting, managed services over that so they can work better together. So the concept of integration, in terms of getting crowd sourced threat data and also in terms of bringing an ecosystem of security solutions together and making them work as a unified whole is an important part of this, and that’s another element of SOAR: the concept of orchestration and automation and making sure that your operations can be more streamlined.
The last pillar that we provide is this concept of security without the seams. Which is the realization that most breaches today don’t happen because any little piece of technology failed. It’s not because you don’t have a firewall or because you don’t have an email gateway. What your attackers are able to do effectively is exploit the seams in security infrastructure, the gaps, the complexity. You have a lot of products, you have a lot of management interfaces, you have a lot of surfaces, on-premises and cloud and SaaS and so on. So seamlessly, or virtually seamlessly integrating and orchestrating people, process, and technology, doing that in a software-defined way with a platform that can abstract, integrate, orchestrate across those different components is part of the value proposition. So if you look at the AT&T portfolio today, we have Cybersecurity Consulting to help our customers understand their risk profiles, understand their vulnerabilities, plan their security posture. We have Managed Security Services so we can manage everything from firewalls to web gateways, to email gateways, application security and endpoints and mobile and so on. And we have a software defined platform for threat detection and incident response, which acts as the foundation for everything else we do. And then all of this is fed through the threat intelligence that we generate through the Alien Labs framework. So our brand promise implements a lot of the concepts that SOAR is advocating.
Terry Sweeney: Security staffing is, as we know, an ongoing headache for end user organizations. The talent crunch for information security is tight and not going to change anytime soon. SOAR purports to ease some of these staffing challenges. Automation is one piece of it. Talk a little bit about where SOAR can help free up staff to do other things as well.
Sanjay Ramnath: One of the key benefits of SOAR is in streamlining operations and really helping organizations do more with less and I think there are a couple of different aspects to this. Automation really helps to streamline and curate data so as a security practitioner, as a sec ops team, you only see what is really important. So, for example, one of the things that we provide on our unified security management, USM, platform is, we take the data from the network, we take the threat intelligence and then correlate that and start qualifying alerts and ranking them so when a practitioner looks at the dashboard, all they’re seeing are things that are really important. They have a sense of how severe the alert is, they have a sense of the meta data they need to investigate those incidents further, so their job becomes a lot easier. It’s more intelligence and data driven rather than throwing raw data at them and letting them do the work. And then the other area where I think SOAR really helps with the security operations problem is around response automation, around orchestrating breach responses. The other aspect of that is response automation. Can you quickly create a firewall rule to block a certain IP or quarantine a certain endpoint. Can you quickly create a rule to block a certain url or web proxy and can you do all of this from one place, from one pane of glass so you don’t have to deal with multiple user interfaces. So that’s an aspect to helping streamline the operations part of it. The third aspect is around streamlining the communication, providing reports, providing dashboards, providing as much aggregation as possible in the dashboard so you can have one pane of glass where you can get a view of your entire environment, your security posture, your assets and so on. So again, you can do more with that small team of people.
Terry Sweeney: Bringing intelligence both to the work priorities and also the workflows themselves. Context, the indicators, the potential virulence of a piece of malware for example. Talk a bit about how threat intel gets integrated into SOAR.
Sanjay Ramnath: Threat intelligence feeds detection platforms, threat intelligence feeds data analysis platforms, threat intelligence can feed security operations teams. Teams that look at the alerts and have to take actions, and have to decide whether a certain incident is more severe than the other. So intelligence can feed that as well. So I think threat intelligence is a foundational element to everything that goes above in the stack, from the platform, to the automation, to the orchestration, to the services and the whole sec ops stack.
Terry Sweeney: Which really makes SOAR appropriate for companies of all sizes?
Sanjay Ramnath: I think so. The concept of SOAR I think is appropriate for companies of all sizes. How you choose to implement it depends on the size of the company, the vertical, which stage in the security lifecycle you are. But as a blue print, if you will, the basic tenants that SOAR advocates and the problems that SOAR is trying to solve, I think apply to organizations of pretty much any size.
Terry Sweeney: Great. Those are some great insights there Sanjay, thank you so much.