Intent-Based Cyber Orchestration

I had occasion several years ago to enjoy a wonderful presentation in Dallas by Maestro Roger Nierenberg, former Music Director at the Stamford and Jacksonville Symphonies. The Maestro offered a stunning display of how a conductor harnesses the dynamics of an orchestra, and he drew analogies to the tenets of leadership. (And yes, while he was on stage, I was probably the only participant wondering how this might be applied to cyber.)

Fast forward, and I see my friends (?) at Gartner coining yet-another acronym called SOAR, which I am told stands for Security Orchestration, Automation, and Response. Setting aside the question of why you need the R at the end, I am pleased that they’re thinking along these lines. I firmly believe that security orchestration is the most underestimated and ignored obligations in the modern enterprise. And the challenge grows worse with cloud.

I was thinking about orchestration (and humming Nierenberg’s Mendelssohn Symphony No. 5) while chatting with the principals of cyber security company, empow. Located in Boston and Israel, empow offers so-called intent-based orchestration in their next-generation SIEM offering. Their solution harnesses the collective power of the tools already deployed in the enterprise, using natural language processing to develop context around ingested data.

“We embed our SIEM into the enterprise to accept security alarms, alerts, and relevant logs from existing, deployed security tools,” explained Kurt Bertone, VP of Marketing and Business Development for the company. “What we do next involves the use of automated natural language processing techniques to read and learn the basic intent. This involves the background, context, and implications of the security alert information being ingested.”

This piqued my interest, because the first thing human SOC analysts do when an alert is received involves research – often with just a browser, Internet connection, and coffee. Using automated NLP to obtain contextual understanding from curated textual sources thus sounded wonderful to me. And the empow tool uses this collected context to prioritize alerts, which improves the accuracy and relevance of mitigation or response actions.

“We put a great deal of thought into how orchestration of existing security tools could be done in an adaptive, vendor-independent way,” Bertone said. “We created an abstraction known as ‘security particles’ that enables us to classify data produced by a customer’s security infrastructure.” I noticed during our discussion that this abstraction led to the inevitable analogy of ‘connecting the dots’ as part of detection and response.

The empow team describes their methodology in terms of a four-step cycle, beginning with data ingested from log sources. The correlated data is then fed into their AI and machine learning classification process, which utilizes the NLP methods. The next step involves an inference analytics engine that builds a so-called “attack story.” Finally, the cycle completes with investigation, mitigation, remediation and, obviously, feedback to log sources.

After chatting with empow, I did some research and discovered that several vendors have been doing similar types of NLP-based text analytics for cyber security. But I must say that the empow approach appears to be especially well-defined and cleanly implemented in a direct manner. For instance, I could easily develop use-case examples for alerts being contextualized and orchestrated that seemed to fit the empow operation.

My advice to security teams is that if you haven’t already looked at SIEM-based orchestration using inference and NLP for contextual understanding to improve mitigation, then add this task to your list. And you would be wise to give empow a call. They managed to drive a complex technical topic into my head quickly and easily, despite my bad-mannered decision to quietly hum a classical piece from Nierenberg during the discussion.