SIRP recently sponsored the 2020 SANS Security Automation and Integration Survey. The survey report compiled responses from 520 security professionals from technology, government, finance, energy, and other sectors. This survey provides a great insight into how organizations perceive security automation, the progress being made in automation and integration, and how it is likely to influence future security operations.
The report has highlighted six emerging security automation trends through the submitted responses. We have excerpted sections discussing these trends and have added our comments to specify our approach towards them.
SANS: “In 2020, two dramatic shifts occurred in how respondents approach their use of automation tools, indicative of how organizations are evolving in their use of automation. First, organizations are looking toward the use of automation technology. Those with no automation or orchestration tools currently in use decreased by 11% between 2019 and 2020, indicating that more organizations are adopting automation tools. Second, organizations are investing in dedicated automation tools to augment their integration of existing capabilities (an increase of 12% in 2020 over 2019) as opposed to integrating existing tools through in-house integration and orchestration efforts (a decrease of 5.5%).”
SIRP: The report not just highlights a substantial uptick in automation tools adoption when compared with the 2019 survey, but also the organizations’ inclination towards buying dedicated orchestration and automation platforms instead of building in-house. As per our analysis, this trend is driven by a combination of the following:
SIRP currently supports integration with 70+ security tools and solutions, that allow for 350+ actions to be executed automatically or manually. The number of these apps and integrations are increasing every week, providing support for new and rich use cases.
SANS: “A gap between current projects and past performance emerges when comparing lower satisfaction ratings of prior projects with the anticipated higher results of current projects across the same project areas. The average gap is 17%, with a range of 9% to 25%.”
SIRP: The last thing an organization would want is to let its previous projects’ satisfaction ratings influence future similar projects. The key here is to close the gap between current and future projects by narrowing down reasons why a similar former project did not provide the level of expected results.
The lesson to learn here is that organizations need to do more than just anticipation for better results during the evaluation phase of an automation tool. Some of the ways through which organizations can be more diligent are:
SANS: “Two processes emerged as leaders in implementation or planned implementation for the next 12 months: command function (IR/Analysis), with 30% currently implementing automation and 29% planning to implement automation in the next 12 months; and initiate and manage IR, with 27% currently implementing and 28% planning implementation in the next 12 months. These results clearly show that organizations are prioritizing automation projects that should help their staff work smarter, improve consistency, and standardize the way they handle security incidents.”
SIRP: The report observed that organizations are investing in automation projects which standardize their security processes and help their staff work smarter. Some of the key points here are:
SANS: “Only 5% of respondents expect a reduction in staffing as a result of an automation project. However, after an automation project, nearly half of respondents (49%) anticipate improvement to staff utilization.”
SIRP: We have made this point time and again that automation does not mean replacing the human workforce. Instead, these projects allow analysts to work on tasks that require their expertise and let automation handle the repetitive ones. Automation acts as a force multiplier for the security teams. It’s not about replacing or reducing staff but rather allowing them to focus on more important tasks and let them do more in less time.
SANS: “Budget commitment for automation is on the rise in 2020. Spending increased at a modest spending level of 3–4% and at higher levels of 7–10%, and then took a dip for spending greater than 10%. This amount of change demonstrates that organizations see the value in automation and integration.”
SIRP: The budget picture for automation projects has improved considerably over the years as the survey suggests. These investment decisions around automation are influenced by both direct and indirect factors, which primarily include management support and a considerable Return on Investment (ROI).
According to the 2020 report, organizations are investing budget to enhance their internal staff skills to conduct automation and integration projects. Interestingly, this factor was also rated the highest in the subsequent year, which makes it evident that organizations are now prioritizing automation projects in their project portfolio to make their security operations further effective.
With automation tools, it’s straightforward for organizations to understand the cost-saving and ROI. Organizations can track how many times a certain playbook ran or how many tasks were there that were run automatically without human intervention. Consequently, saving human hours. This easily translates to ROI or cost savings achieved by the automation platform. Thus, organizations feel more confident in getting budgets approved and investing more in automation projects.
SANS: “The majority of respondents (58%) stated that they plan to automate key security and Incident Response processes in the next 12 months.”
SIRP: Automation is about bringing people, processes, and technology. It is often the case with automation vendors that they are bringing the process and technology together. But the most important aspect i.e. People are left behind. SOC analysts are considered to be the first responders of the incident response chain. They are monitoring the alerts, investigating, and initiating the response cycle. But there is usually a disconnect between the SOC team and other teams in the organization. For example, the agenda of the SOC team and IT teams are usually not aligned. Or that the language that the GRC team speaks, the SOC team does not understand it. But the report suggests that organizations are putting the focus on their SOC and IT teams. They are understanding that the only way forward is to stop working in silos and bridge the gap between the teams.
SIRP provides the right tools and features to deliver these things. SIRP’s case management allows multiple organizations to coordinate and collaborate within the same platform. SIRP allows SOC teams to go beyond the traditional monitoring of SIEM alerts but giving them a view of organizational risks, vulnerabilities, and threat intelligence. Enabling them to prioritize their response and automation activities.
We recommend reading the 2020 SANS survey report to learn more about these trends and the responses submitted by more than 500 security professionals. You can download the 2020 SANS Automation & Integration Survey report here.
Click here to schedule a personalized demo with a SIRP representative.