Is your CSIRT team facing too many security alerts? Is your SOC has various security products that are jumbled together? Are you worried about setting the sensitivity of each product? How a severity level should be assigned to each imminent incident? These questions are hard to answer by today’s security professionals. However, security orchestration plays a crucial role in helping experts to address these questions.
As a matter of fact, the manual management of results produced by numerous security products is a difficult and time-consuming task. In addition, detected event data of each product can also be different with one another.
Another problem associated with too many security products is setting their level of sensitivity. If sensitivity is too high, the product may generate too many false positives. On the other hand, setting a low level of sensitivity may cause the product to skip even the most major incidents. Therefore, deciding the level of sensitivity for each product is a challenging task.
How Does Security Orchestration help to Automate Incident Severity Assignment?
The CSIRT team can classify incidents through their severity level, typically done by using “SEV” definition (e.g., SEV-1, SEV-2, SEV-3). The higher the number, the more serious the incident is. The severity level of each incident can be different. For example, some incidents may be less severe and cause less damage to the organization. On the contrary, other incidents may be too severe and trigger huge penalties and reputational damage. The examples include GDPR penalties and stealing employees’ sensitive information.
To address false positive, manage various security products, and assign severity to each incident, security orchestration playbook comes into place. The security orchestration playbook not only saves analyst’s time but also ensures the accuracy of incident assignment.
Instead of opening multiple tabs and performing many actions manually, security orchestration playbook allows you to use the strength of each product by automatically assigning severity to forthcoming incidents. The following figure shows the complete working of the playbook in this regard.
Figure 1: Flowchart: How Security Orchestration Playbook Automates Incident Severity Assignment
First and foremost, the playbook checks whether existing product records the severity level of the incidents. If the severity level is detected, the playbook assigns severity in accordance with the product’s score. However, in the case of failure of this condition, the playbook will check if there is any IoC (Indicator of Compromise) existed at any Endpoint. The severity level can also be assigned based on IoCs. If there is not any IoC either, the final step is to compare the incident with those listed in the blacklist. If the incident is found in the list, the severity level is assigned. Otherwise, the playbook will close the incident.