By Splunk June 30, 2017
One of the most important aspects to consider when evaluating a security automation and orchestration (SA&O) platform is the inherent security features it offers. An SA&O platform holds security infrastructure details, authentication credentials, operations and response plans, security event data, and other highly-sensitive information. It also serves as the operating system for your security infrastructure, directing security-related activity across your environment. Considering all this, it’s vital that the platform incorporate security best practices to ensure that the system remains available, be resilient to attack and unauthorized use, and that data integrity is maintained.
Here are some key criteria to look for in an SA&O platform:
- A hardened operating system
- Encrypted credentials, event data, and configuration settings
- Ensure credentials are not stored in memory
- Support for authentication management systems
- Support for multi-factor authentication
- Robust role-based access control
Minding the A’s of Security
In addition to the above criteria, it’s also important to consider how the platform addresses these four A’s of security.
Availability
Many people automatically default to high availability when availability is mentioned, but resiliency to attack also falls into this category. A compromised system that cannot carry out its mission can lead to a loss of availability. Purpose-built platforms, whether in physical, virtual, or cloud forms, should have an attack surface that is as small as possible. A good thing to ask is, “How often are third-party and independent penetration tests performed on a system?” A vendor should be able to provide a prospective customer with a report from these tests.
When focusing on High Availability (HA) features, be sure to explore how data is kept in sync between primary and backup systems. Ask about the failover, and just as important, the recovery behavior of the platform.
Another availability item revolves around fault tolerance. Find out if the SA&O platform’s application can be separated from its database. In many cases, separating the application from the database allows you to leverage more robust RAID redundancy.
Authentication
During an evaluation, learn about the different authentication options available. In addition to local authentication, find out if the platform supports Single Sign On (SSO) and multi-factor authentication. Unless the proper synchronization is implemented, maintaining multiple authentication systems can weaken platform security by leaving user accounts active that should be disabled (e.g. employee turnover).
Access Control
To avoid inappropriate access, evaluate the role-based access control capabilities of a prospective SA&O platform. In addition to providing out-of-box roles, ask if you can define roles that align to your organization. To avoid insider abuse, security best practices dictate that a user should only have access to the portions of an SA&O platform that are needed to perform the assigned functions. Studies continue to demonstrate that insider threats, whether intentional or not, pose a significant risk to most organizations.
Auditing
Finally, carefully evaluate an SA&O platform’s audit capabilities. In a production setting, tamper-proof auditing is important to not only understand when a process isn’t working correctly, but also detail the identities and actions of users operating the system.
Conclusion
For many readers, these criteria may seem obvious. It’s good practice, however, to make sure that the security of the platform is as good as the environment you are trying to protect. As the adage goes, “A house is only as stable as the foundation it’s built upon.” The Phantom Platform was purpose built for security and addresses all of the criteria discussed. If you don’t currently use the Phantom Platform, we invite you download the free Community Edition today.
----------------------------------------------------
Thanks!
Chris Simmons