All Together Now: AI-Powered Security Orchestration Delivers Significant Benefits

Security orchestration is shaking up the cybersecurity world. The reason: When conducted carefully, it can deliver greater speed, accuracy and confidence.

It’s a familiar tune, with a twist. In today’s fast-paced digital world, there’s an ever-growing demand for cybersecurity to become more automated, integrated and accelerated. Now, industry stakeholders like Donnelley Financial Solutions (DFIN) are responding with security orchestration — a shift in the application of technology that allows security tools to work together seamlessly as an independent system, with minimal human involvement.

“We’ve been working to responsibly and effectively incorporate security orchestration into our own cybersecurity strategy to automate threat response,” says Dannie Combs, chief information security officer at DFIN. “It will enable us to bring greater accuracy to our defense system and glean invaluable intelligence from vast amounts of data.”

Security Orchestration, Simplified

As Combs explains, there are three main elements that must come together to create a strong security orchestration ecosystem:

  • The security orchestration and mitigation engine – This is software that is constantly scanning its environment, equipped with pre-programmed rules, flags and approved responses that it will apply when reacting to a potential threat. Cybersecurity professionals carefully program this AI-powered platform, defining scenarios that the system should monitor and outlining how it should respond, depending on the nature of the threat.
  • The Security Incident Event Management Platform – This is a hub that gathers, organizes and logs an organization’s digital assets, including devices, applications and data. It stores all that information in one place, and can crystallize big data into insightful reports — quickly. It’s a digital warehouse that security teams can run queries against and easily search when looking for insights, trends or the presence of a threat in the network.
  • Threat intelligence repository – This is a pool of external intelligence feeds that are monitored by the security team, who receive dynamic data and real-time updates about security threats. These feeds come from a variety of global partners, including commercial sources and the federal government. For example, an organization might raise an alarm across the network that a specific IP address tried to hack into its defenses.

When an organization’s security team receives relevant information about a threat from the intelligence feeds, it plugs that information into the SIEM — which has logs of every device in the system — and if it locates that threat anywhere in the network, it will trigger an alarm. The security team will receive that alarm, but so will the security orchestration automation engine, which will immediately implement the appropriate response for that type of scenario, such as blocking all future traffic from that source.

Easing Into Automated Mitigation

A properly built security orchestration system can process credentials faster than a human team ever could. It can also monitor a wider set of users and data while operating with greater accuracy.

“We’re now actively making use of the threat intelligence systems, as well as the SIEM platform at DFIN,” Combs explains.

According to Combs, when setting up the security orchestration automation piece, programmers need to be very thoughtful and cautious. Intense testing should take place to ensure the scenario mitigation steps won’t block legitimate traffic or disrupt the client experience in any way.

“Our own cybersecurity team has started using automated mitigation and is working hard to expand it across most of our technologies,” Combs adds. “We’ve also been building strategic relationships with organizations that are security experts in the risk, compliance and financial world.”

As an example, Combs says that DFIN keeps a close eye on the threat intelligence feed from the Financial Services Information Sharing and Analysis Center, or FS-ISAC. This non-profit organization compiles threat intelligence for the financial services sector and sends alerts and analyses to partners worldwide.

This community support, he says, partnered with new intelligent technologies, allows DFIN to offer greater peace of mind to clients.

“It reduces the time needed to address threats, and enables us to run a leaner, much more cost-effective security team, because they’re not addressing the ‘white noise,’ or small issues.”

Indeed, with a strong security orchestration system in place, human experts can focus on other complex, critical matters, while the artificial intelligence keeps things running smoothly in the background.