This entry is the first in a series that outline key criteria to consider when evaluating Security Automation & Orchestration (SA&O) platforms.
Here at Phantom, we define security orchestration as “the machine-based coordination of a series of interdependent security actions across a complex infrastructure.”
Considering this definition, it’s easy to derive that one of the most important components of a SA&O platform is its Orchestrator. An orchestrator acts as a platform’s central nervous system. It directs and oversees all activities, from ingestion of security data, to complex decision making, to task execution, to interacting with analysts. An orchestrator should interface with almost every other major component of a SA&O platform to be optimally effective and efficient.
The one thing you don’t want from an orchestrator, however, is a surprise. Above all else, an orchestration component should be predictable. Security Automation and Orchestration requires predictability, in both normal operation and in failure situations. Without this predictability, your analysts are destined to endless hours of troubleshooting and trying to figure out “what happened” or even worse “what went wrong.” Implementing predictability touches multiple aspects of the platform, including error logging, resilient recovery, and prompting an analyst to augment decision making in an error producing situation.
Another key thing to look for is a platform’s ability to ingest any data in any format. From connecting that old legacy system to future platforms that have not been built yet, the ability to adapt to new data sources is critically important. For example, the Phantom platform allows you specify a data handler to parse new data formats. Successfully parsing incoming security data allows analysts and an SA&O platform to understand and make use of the data that it is ingesting. This data may trigger additional playbooks or add context to a scenario that is critical to supporting complex automation logic.
This leads us to the third key area to examine during an evaluation. It is how an orchestrator implements decision making. For example, the Phantom platform uses digital playbooks that are built to Business Process Model and Notation (BPMN) standards. This allows coding complex decision making logic into playbooks, while maintaining readability and understanding by technical and business users alike. Also, supporting the ability to augment decision making by implementing “human-in-the-loop” supervision, as well other levels of human supervision like “human-on-the-loop” and “human-out-of-the-loop,” in your decision making logic helps to drive the overall predictability of the platform.
This blog entry has touched on three key criteria of an Orchestrator to consider when evaluating SA&O platforms. There are additional criteria across several areas to also consider:
- Data Ingestion
- Decision Making
- Task Execution
- Human Supervision
- Data Management
- Fault Tolerance
We invite you to learn more about Orchestrator criteria above by downloading the Phantom white paper, A Buyer’s Guide to Security Automation and Orchestration Platforms. The guide explores these additional criteria for the orchestrator component, as well as the other key components, attributes, and considerations that you should evaluate as you compare SA&O platforms.
Download the guide today.
Director, Product Marketing