A Deeper Analysis into the 2020 SANS Automation and Integration Survey

A Deeper Analysis into the 2020 SANS Automation and Integration Survey

A Deeper Analysis into
the 2020 SANS Automation and Integration Survey


SANS, the most trusted and by far the largest source for information security trainings and security certifications, has recently released the latest results of 2020 SANS Automation and Integration Survey Report, sponsored by SIRP.

The 2019 Automation and Integration Survey provided an overview of where organisations are in their automation/integration journey while this extension takes a deeper analysis into where organisations are focusing their automation efforts in core areas of cyber security, quantifying automation initiatives and more concretely explain how organisations are able to maximise their security investment while improving operations through streamlining efforts. In 2020, SANS wanted to get more detail about where organisations are focusing.

The survey conducted by SANS took responses from 520 respondents including security operations and incident response professionals to answer the questions and create a clear picture of the current state of automation, and where it is headed in the near future. Respondents were asked to quantify their successes more concretely in this year’s survey. The survey report includes all results and the chance to learn more about:

  • How organisations rate their current level of automation
  • Where they are focusing their automation efforts in the next 12 months
  • How automation has affected staffing levels
  • Which metrics organisations use to evaluate the state of their automation initiatives
  • What types of tools have been successfully incorporated into automated environments
  • What automation activities have been successful, why they found this success, and how organisations set up their automation activities to achieve meaningful results.

As the day-to-day practice of security operations matures, senior management starts asking security teams to demonstrate that their budget and activities improve the organisation’s security posture. Metrics are an essential tool for security pros to understand and demonstrate how their systems and processes support the business— well-designed metrics support data-driven decisions.

Key Takeaways

  • Nearly 74% of respondents are applying automation at medium or high levels for security operations and event or alert processing, indicating that they are making good use of existing systems.
  • With a 11.8% increase in dedicated automation adoption, organisations that have fully integrated their IR team with their SOC show the greatest potential of medium- or high-level automation.
  • The most valuable metric was “Number of incidents identified through monitoring programs” (57%), followed closely by “Number of endpoints impacted by an incident” (56%) indicating the impact that monitoring has on identifying a security issue and how it affects the organisation’s environments.
  • In 2020, IPS/IDS/firewall/unified threat management (UTM) alerts retained the top spot for the highest degree of platform utilisation.
  • Automating workflows was the highest at 56%, closely followed by increasing speed and quality of threat investigations at 47% (which decreased by 11% from last year’s survey)
  • Two related metrics also emerged as the most valuable in the survey, but not actively in use by respondents: “Mean time from containment to remediation” and “Mean time for each of the phases of the IR process”  with the latter having the largest gap on being neglected. 
  • Moreover, respondents found “Number of incidents per security analyst” to be the least useful metric (26%).
  • Similarly,  digital forensics scored among the lowest as an automated process because it depends on manual processes and is an activity dependent on human insights.
  • Unfortunately, analysis of the data also indicated that organisations had the least amount of confidence in “reducing alert fatigue,” which had the highest no-confidence score (36%), followed by “better definition of process owners” (28%).

There is clear progress being made in automation and integration, organisations are investing in these projects, with increased budget to support them. They are giving a higher degree of priority and attention to projects that make staff, security operations and incident response work more effectively and smoothly.

"It's been said many times that people are the most valuable asset to an organisation," says SANS analyst and security operations expert Don Murdoch. "The 2020 A&I survey results show that organisations are making strategic investments that will improve day-to-day operations in order to maximise staff, support staff working smarter, and improve both security operations and incident response. Automation is expected to bolster all around improvements for both people and processes in most cases, not used as a method to reduce head count."

These results without a doubt indicate that SOAR is bound to position itself as a mandatory technology in the battle against sophisticated cyber threats, and the good news is more and more clients are becoming aware of that. Having said that, our Risk-Based Security Orchestration And Automation Platform, SIRP fuses essential cybersecurity information to enable a unified cyber response. Through a single integrated platform, it drives security visibility, so decisions can be better prioritised and response time is dramatically reduced.

Get a Demo