Security orchestration and automation: Closing the gap in incident response

Companies in North America are poised to increase their reliance on security orchestration and automation for incident response (IR), according to Enterprise Strategy Group (ESG).

The research also explored the drivers of this shift, identifying the shortage of qualified cybersecurity professionals and the heavy reliance on manual resources as the main contributing factors.

ESG surveyed 100 IT professionals with knowledge or responsibility for their organization’s incident response processes and technologies. The research shows that 91 percent of these people believe that IR efficiency and effectiveness are limited by the time and effort of manual processes. In addition, it found that 97 percent of organizations have either already taken steps to automate and/or orchestrate incident response processes, or plan to do so within the next 18 months.

“Nearly every organization admits to challenges in the way they currently handle incident response, forcing them to look for other options. Big changes are coming,” said Jon Oltsik, senior principal analyst at ESG. “Based on input from practitioners in the field, it’s clear that organizations see the value of IR automation and orchestration and we’re just at the beginning of this trend.”

High alert volume has made incident response difficult:

• 98 percent of respondents admit to having challenges with incident response capabilities.
• 71 percent claim that incident response has become more difficult at their organizations over the past two years.
• Monitoring processes from end-to-end (47 percent), keeping up with the volume of threat intelligence (46 percent), and keeping up with the volume of security alerts (43 percent) were the three most frequently cited challenges.

The security skills gap combined with heavy reliance on manual resources exacerbate IR challenges:

• 91 percent of respondents said IR efficiency and effectiveness are limited by the time and effort of manual processes.
• 91 percent also said they are actively trying to increase the size of their incident response staff right now.

“With the recent advances in incident response (IR) technologies and the increasing pervasiveness of data, monitoring IR processes end-to-end requires a high level of participation from enterprises’ legal and HR teams, now more than ever, in order to meet legal and regulatory compliances,” Stephen Singam, managing director of security research at Distil Networks, told Help Net Security.

“Legal needs to ensure the usability of any evidence collected and provide counsel on liability issues that affect customers, vendors, and society in general. As for HR, because most IR activities involve company employees (especially with internal threats), their guidance is critical in these situations as well. When the security team works in tandem with legal, HR and others in an organization to respond to threats, the process is much more seamless and effective,” concluded Singam.

Many enterprises are turning to automation and orchestration to improve IR efficacy while streamlining operations:

• More than half (62 percent) of enterprise organizations have already taken action to automate and/or orchestrate IR processes. Another 35 percent are either currently engaged in a project to do so, or plan to initiate a project within 18 months.
• This shift is just beginning. The vast majority of organizations currently classify their IR automation/orchestration initiatives as being in early or immature stages. Only about one-third (32 percent) currently categorized their initiatives as being in a mature stage.
• The reasons most often cited for the move to IR automation/orchestration include automated data collection (50 percent), reducing in human error (49 percent), and improving analysts’ ability to triage incidents (47 percent).

CISOs have robust plans for IR spending and process alignment in the next few years:

• 91 percent of survey respondents said that their organization’s spending on incident response will increase over the next two years – 40 percent said that spending will increase significantly.
• Zero respondents said spending would decrease.
• 50 percent of organizations plan to improve the alignment of IR and IT governance processes.
• 43 percent plan to test their IR processes more often.
• 38 percent plan to hire more incident response personnel.

“People love the way Hollywood depicts cybersecurity – full of drama, excitement and masterminds on both sides. But in the real world, CEOs, CIOs and Board of Directors all want to keep cybersecurity simple, quiet and most of all, cheap,” said Chen Heffer, CISO for Douglas County, Colorado. “Human error is always going to be part of the cybersecurity equation, but working with automated tools that shorten the response time and negate most human errors is the real ROI of cyber security. It makes detection less scary, response much more efficient and investigation and recovery somewhat even fun.”