Resolve Systems shared the top trends to watch in 2018 relating to incident response and automation. The list of predictions are founded on the company’s insight into the challenges enterprises express in today’s new normal of high impact outages/breaches and why companies are investing in incident response and automation technology.
“2018 is not going to be a quieter year in terms of cyber-attacks against organizations. We know that threats are becoming more sophisticated and easier for hackers to deploy, in most instances. Therefore, we have to continue to improve our ability to protect against those threats. To do so is a team effort that requires MSSPs, security vendors, SOC managers and all parties involved in incident response to lean on automation technologies and orchestration methodologies that help investigate and remediate attacks quickly, efficiently and in a way that really helps our overworked security teams rather than creating more work for them,” Martin Savitt, CEO at Resolve Systems, told Help Net Security.
Businesses’ comfort with security automation will increase due to the necessity for scale. Increasing volume of automated attacks will make it impossible for SOCs to keep up via manual processes alone. Solutions that help hesitant organizations begin to embrace automation (via a crawl/walk/run strategy) will capture increasing market share. This is supported by Forrester Research’s November 9, 2017 report, “Predictions 2018: Automation Alters The Global Workforce.” The report states “Prediction 9: A true combined security and ops automation platform will roll out.”
Lower SOC entry level
Users will increasingly seek solutions that can lower the bar of entry to security teams. Due to security’s significant skills gap, solutions that help less experienced professionals become quickly effective as Level 1 SOC analysts will be increasingly valued.
The market’s focus on incident response will change from today’s reactive position to a continuous one. Post-mortem analysis on security incidents will lead ongoing enhancements and testing for response playbooks. The growing field of “range training” for security team members and red team/blue team simulations indicate that attack rehearsals and playbook tuning will receive increasing attention.
Savvy MSSP shoppers
MSSPs will be affected in 2018 and beyond, as clients begin to request MSSPs to demonstrate attack responses and share metrics on time to respond/remediate for specific incident types. Increasing media coverage and public awareness of security incidents will make for more savvy buyers who want more detailed evidence and assurances of an MSSP’s ability to respond effectively to a significant breach.
SOC as IR thought leader
The SOC team will become a driver for efficiency, automation, and best-practice procedures in IT, Network, and Service Desk, as the remediation activities that these teams perform in security incidents are critical for the success of the SOC. Given this, the SOC may well stand to be the model for all technical teams in an organization.
SIR platform required
Having an incident response platform will become a non-negotiable for security teams. As the rate and scale of cyberattacks will be a forcing function for the adoption of automation, the pain of attempting to automate in a fragmented and piecemeal manner will exert pressure on the SOC to bring in a proper incident response platform to orchestrate and automate response.
More money = more scrutiny
In the wake of recent catastrophic security incidents, CISOs and SOCs will see increasing investment and budget to purchase tools. However, with these added funds will come the onus to demonstrate measurable results and improvements, so teams will seek ways to demonstrate success with analytics, reporting, and attack simulations.
SOC developed automation
As a necessity, many SOCs are already scripting and building out automations to support some simple mundane and repetitive tasks. Leveraging their security expert’s “tribal knowledge”, however, many SOCs will find efficiency in building their own automations and look for tools that lower the programming barrier. They will seek solutions that enable those who know how to investigate and remediate incidents to create automations with no programming skills.
Possible CSIRT resurgence
While the construct of the cybersecurity incident response team (CSIRT) has existed for some time, 2018 will show increased interest in creating these in-house, cross-disciplinary incident response teams. As more and more organizations realize the necessity of enterprise-wide security response, the CSIRT will potentially become a way of attempting to solve cross-team collaboration challenges without having to completely rewire political and technical relationships between Security, IT, Network, and Service Desk.
More movement to MSSPs
MSSPs will receive greater interest from organizations that recognize the level of effort and in-house expertise required for a successful SOC is beyond their means. Smart MSSPs – those that have the right personnel and tools available to build buyer confidence – that demonstrate the ability to meet core enterprise requirements and state-of-the-art responses to security breaches will attract the most interest.