Why is incident response automation and orchestration so hot?

Incident response is dominated by manual processes that limit efficiency and effectiveness. This is one of the drivers for IR automation and orchestration.

I couldn’t attend the RSA Conference this year, but many cybersecurity professionals and my ESG colleagues told me that incident response (IR) automation and orchestration was one of the hottest topics in the halls of the Moscone Center—through the bar at the W hotel and even at the teahouse on the garden at Yerba Buena.   

Was this rhetoric just industry hype? Nope. This buzz is driven by the demand side rather than suppliers. In truth, cybersecurity professionals need immediate IR help for several reasons:

1. IR is dominated by manual processes. Let’s face it, IR tasks such as fetching data, tracking events or collaborating with colleagues depend upon the organizational, communications and technical skills of individuals within the security operations team. These manual processes ultimately get in the way of overall IR productivity.

In a recent research project, infosec pros were asked, ‘Do you believe that your organization’s incident response efficiency and effectiveness are limited by the time and effort required for manual processes?’ Fifty-two percent of cybersecurity professionals responded, “yes, significantly,” while another 41 percent said, “yes, somewhat.” Furthermore, 27 percent of cybersecurity pros say they spend 50 percent or more of their IR time on manual processes. 

2. IR is a dysfunctional team sport. The SOC team may be responsible for finding the fires, but it counts on IT operations to actually fight the fires. Unfortunately, this relationship isn’t always a finely tuned machine. One-third of cybersecurity professionals say coordinating IR activities between cybersecurity and IT operations teams is the top IR challenge at their organization.

3. IR shines a spotlight on the cybersecurity skills shortage. According to ESG research, 45 percent of organizations say they have a “problematic shortage” of cybersecurity skills in 2017. Furthermore, as part of a 2016 research study of cybersecurity professional careers done by ESG and the Information Systems Security Association (ISSA), 437 cybersecurity professionals were asked to identify the areas of cybersecurity where their organizations had the biggest skills deficits. The top area cited (33 percent) was security analysis and investigations. If you have a security analysis and investigations skills shortage, IR is bound to suffer.   

Let’s look at these issues in aggregate: Understaffed and under-skilled SOC teams depend on key individuals and manual processes to get their jobs done. And when cybersecurity professionals detect something wrong, they don’t work well with the IT operations team to fix problems in an efficient manner. As they say down south, “that dog don’t hunt.” 

Little wonder, then, why CISOs are turning to IR automation and orchestration initiatives. A few years ago, this meant scripting, open source and custom coding. What’s changed over the past few years, however, is greater support for SOC workflows within SIEM tools (AlienVault, IBM QRadar, LogRhythm, McAfee, Splunk, etc.) and the rise of innovative IR platforms (FireEye, Hexadite, Phantom, Resilient, Siemplify, ServiceNow, etc.).

CISOs are still assessing the scope of their IR problems and figuring out what to do first. Still, they are actively engaged and plan to do more: 46% of cybersecurity professionals say their organizations’ IR budgets will increase significantly this year, while 42 percent claim budgets will increase somewhat in 2017. For good reasons, a lot of these dollars will be targeted at IR automation and orchestration, while gluing the whole IR enchilada together through a security operations and analytics architecture (SOAPA). Thus, the demand-driven buzz at RSA was real this year—at least for IR automation and orchestration.

Security Smart: 4 Common Password Myths ... Debunked!