Top 6 Emerging Trends in Security Automation

SIRP recently sponsored the 2020 SANS Security Automation and Integration Survey. The survey report compiled responses from 520 security professionals from technology, government, finance, energy, and other sectors. This survey provides a great insight into how organizations perceive security automation, the progress being made in automation and integration, and how it is likely to influence future security operations.

The report has highlighted six emerging security automation trends through the submitted responses. We have excerpted sections discussing these trends and have added our comments to specify our approach towards them.

Trend #1: Increased Adoption of Dedicated Automation Solutions

SANS: “In 2020, two dramatic shifts occurred in how respondents approach their use of automation tools, indicative of how organizations are evolving in their use of automation. First, organizations are looking toward the use of automation technology. Those with no automation or orchestration tools currently in use decreased by 11% between 2019 and 2020, indicating that more organizations are adopting automation tools. Second, organizations are investing in dedicated automation tools to augment their integration of existing capabilities (an increase of 12% in 2020 over 2019) as opposed to integrating existing tools through in-house integration and orchestration efforts (a decrease of 5.5%).”

SIRP: The report not just highlights a substantial uptick in automation tools adoption when compared with the 2019 survey, but also the organizations’ inclination towards buying dedicated orchestration and automation platforms instead of building in-house. As per our analysis, this trend is driven by a combination of the following:

Overhead Costs: Building a new tool and maintaining it requires resources. This could mean investment for dedicated resources for the development and hosting of the tool. On top of that, organizations also need to plan about retaining the human resource to keep maintaining that tool in the future. It is the nature of such projects that require a wide variety of resources.
Talent Acquisition: There is a severe shortage of security professionals. Top-quality security engineers are hard to find, even harder to retain. Vendors and organizations are fighting to attract new experienced resources as well as retaining existing teams. So, organizations are thinking about these short- and long-term implications.
Complexity: Open source and in-house built tools are great for organizations that do not have budgets for automation. But organizations also understand that these development projects might be easy to execute and maintain when they are small. But as they grow, these projects will demand more resources, time, and efforts.

SIRP currently supports integration with 70+ security tools and solutions, that allow for 350+ actions to be executed automatically or manually. The number of these apps and integrations are increasing every week, providing support for new and rich use cases.

Trend #2: Evident Gap Between Current Projects and Past Performance

SANS: “A gap between current projects and past performance emerges when comparing lower satisfaction ratings of prior projects with the anticipated higher results of current projects across the same project areas. The average gap is 17%, with a range of 9% to 25%.”

SIRP: The last thing an organization would want is to let its previous projects’ satisfaction ratings influence future similar projects. The key here is to close the gap between current and future projects by narrowing down reasons why a similar former project did not provide the level of expected results.

The lesson to learn here is that organizations need to do more than just anticipation for better results during the evaluation phase of an automation tool. Some of the ways through which organizations can be more diligent are:

Conduct a thorough POC: Test the features that the vendor claims to offer. The reason is that it often happens that a feature proposed is not available in the product or part of the future product roadmap. And when the time comes to use that feature, the vendor is not available to deliver. This is one of the core reasons for poor performance and lowers satisfaction ratings.
Establish a Baseline: Identify your SOC’s use cases and operations’ effectiveness to evaluate how well SOC is performing after the automation project.
Question the Vendors: Ask vendors about the key aspects and requirements specific to your environment. For example:

How will they help you understand your environment and how will they improve on it? You can achieve this with SIRP’s Asset Management module.
How many use cases, playbooks, or workflows will they deliver as part of the project? What are the limitations? SIRP provides several out-of-box playbooks and helps you create new playbooks based on your processes.
How many integrations and ingestion sources will they enable for alerts ingestion and threat hunting use cases? With SIRP, there is no limit to the number of ingestion and threat hunting integrations.
How they deliver prioritization for your SOC analysts. Currently, the sole focus of all automation vendors is automation. But SIRP allows you to automate what’s important for you by bringing in your organizational context and risks. Our unique scoring engine (S3) helps you prioritize your remediation efforts.
How they are going to bring multiple teams together and what value do they deliver to different people in the chain? SIRP does this through end-to-end case management and allowing your GRC team to conduct risk assessments from the platform. Hence bridging the gap between your SOC team and GRC team.

Trend #3: Organizations Are Placing Higher Emphasis on Implementing Projects That Improve Security Operations

SANS: “Two processes emerged as leaders in implementation or planned implementation for the next 12 months: command function (IR/Analysis), with 30% currently implementing automation and 29% planning to implement automation in the next 12 months; and initiate and manage IR, with 27% currently implementing and 28% planning implementation in the next 12 months. These results clearly show that organizations are prioritizing automation projects that should help their staff work smarter, improve consistency, and standardize the way they handle security incidents.”

SIRP: The report observed that organizations are investing in automation projects which standardize their security processes and help their staff work smarter. Some of the key points here are:

Organizations don't want to overburden their resources and keep them busy with mundane tasks. That’s the reason organizations are emphasizing on implementing SOAR platforms. Organizations need to evaluate repetitive tasks being performed in SOC and start with automating them to free-up resources.
Another aspect that organizations want to gain visibility on the performance of their SOC. The top three important KPIs are MTTD (Mean Time to Detect), MTTI (Mean Time to Investigate) and MTTR (Mean Time to Respond).
Organizations want to keep a check on their threat intelligence and vulnerabilities remediation efforts because Security Operations go beyond automation of alerts that SOC analysts are investigating. Organizations want to track their vulnerability management lifecycle, prioritize the remediation efforts, and fuse that information with other data that their SOC analysts are handling.
Most importantly, organizations want to see and use risk scores to help with prioritization. This way the analysts don't need to spend time on tasks, IOCs, and alerts that are of low value. Rather focus on what's important based on risk score and prioritization scoring.

Trend #4: Automation May Not Reduce Staffing Needs

SANS: “Only 5% of respondents expect a reduction in staffing as a result of an automation project. However, after an automation project, nearly half of respondents (49%) anticipate improvement to staff utilization.”

SIRP: We have made this point time and again that automation does not mean replacing the human workforce. Instead, these projects allow analysts to work on tasks that require their expertise and let automation handle the repetitive ones. Automation acts as a force multiplier for the security teams. It’s not about replacing or reducing staff but rather allowing them to focus on more important tasks and let them do more in less time.

Trend #5: More Security Budget Is Being Applied to Automation

SANS: “Budget commitment for automation is on the rise in 2020. Spending increased at a modest spending level of 3–4% and at higher levels of 7–10%, and then took a dip for spending greater than 10%. This amount of change demonstrates that organizations see the value in automation and integration.”

SIRP: The budget picture for automation projects has improved considerably over the years as the survey suggests. These investment decisions around automation are influenced by both direct and indirect factors, which primarily include management support and a considerable Return on Investment (ROI).

According to the 2020 report, organizations are investing budget to enhance their internal staff skills to conduct automation and integration projects. Interestingly, this factor was also rated the highest in the subsequent year, which makes it evident that organizations are now prioritizing automation projects in their project portfolio to make their security operations further effective.

With automation tools, it’s straightforward for organizations to understand the cost-saving and ROI. Organizations can track how many times a certain playbook ran or how many tasks were there that were run automatically without human intervention. Consequently, saving human hours. This easily translates to ROI or cost savings achieved by the automation platform. Thus, organizations feel more confident in getting budgets approved and investing more in automation projects.

Trend #6: SOC and Incident Response Are Getting Attention

SANS: “The majority of respondents (58%) stated that they plan to automate key security and Incident Response processes in the next 12 months.”

SIRP: Automation is about bringing people, processes, and technology. It is often the case with automation vendors that they are bringing the process and technology together. But the most important aspect i.e. People are left behind. SOC analysts are considered to be the first responders of the incident response chain. They are monitoring the alerts, investigating, and initiating the response cycle. But there is usually a disconnect between the SOC team and other teams in the organization. For example, the agenda of the SOC team and IT teams are usually not aligned. Or that the language that the GRC team speaks, the SOC team does not understand it. But the report suggests that organizations are putting the focus on their SOC and IT teams. They are understanding that the only way forward is to stop working in silos and bridge the gap between the teams.

SIRP provides the right tools and features to deliver these things. SIRP’s case management allows multiple organizations to coordinate and collaborate within the same platform. SIRP allows SOC teams to go beyond the traditional monitoring of SIEM alerts but giving them a view of organizational risks, vulnerabilities, and threat intelligence. Enabling them to prioritize their response and automation activities.

We recommend reading the 2020 SANS survey report to learn more about these trends and the responses submitted by more than 500 security professionals. You can download the 2020 SANS Automation & Integration Survey report here.

Click here to schedule a personalized demo with a SIRP representative.