Enterprise plans for security automation and orchestration

Organizations want to merge threat intelligence with internal security telemetry, add custom functionality for security operations, and automate remediation tasks.

Enterprise plans for security automation and orchestration
Thinkstock

With the global cybersecurity skills shortage hanging over them, CISOs are turning to security automation and orchestration technologies to improve staff productivity. This is happening faster and wider than most people realize.

According to ESG research, 19 percent of enterprise organizations have already deployed technologies for security automation and orchestration extensively, 39 percent have done so on a limited basis, and 26 percent are engaged in a project to automate/orchestrate security operations. 

Why are folks doing this? ESG asked 412 cybersecurity and IT professionals to identify their organization’s priorities for security automation and orchestration. The top selections were as follows:

  • 35 percent want to use security automation/orchestration technology to integrate external threat intelligence with internal security data collection and analysis. It’s natural to query these two sources as part of security investigations, but this was always a manual process in the past. The data suggests that organizations want to use security automation/orchestration tools to do the heavy lifting, streamlining the investigations workflow.
  • 30 percent want to use security automation/orchestration technology to add functionality on top of existing tools. Typically, this functionality is centered on orchestrating workflows as part of things like security investigations, incident response, or remediation tasks.
  • 29 percent want to use security automation/orchestration technology to automate basic remediation tasks. Things like automatically generating new firewall rules upon receiving a list of IoCs.
  • 28 percent want to use security automation/orchestration technology to correlate and contextualize data using the output of two or more tools. Think of a multitude of threat detection tools spitting out reports or generating alerts. Security pros want to use security automation/orchestration to blend these outputs and get a more holistic picture of security incidents.
  • 22 percent want to use security automation/orchestration technology to integrate security and IT operations tools. This can allow security analysts to access asset databases, CMDBs, trouble ticketing systems, etc.). Clearly, this requirement is why vendors such as Resolve Systems and ServiceNow have jumped into this space.

Security automation necessary, but how to use it?

CISOs look at security operations like Henry Ford looked at building cars. They know manual processes can’t scale to meet demand, so they are using new technologies to mechanize operations. Ford used the production line; CISOs are using security automation and orchestration tools.

It’s still early, and the market remains confusing to many infosec pros. Should automation and orchestration be aligned with their SIEM? Should it be tightly integrated with IT operations? Should they develop their own software or kick the tires with commercial vendors like Demisto, Phantom, or Swimlane? Alternatively, should they go for security automation/orchestration features that come with new analytics or operations tools from vendors like Exabeam, Siemplify, or ThreatConnect?

These are difficult choices, but ESG has observed that successful security automation/orchestration results come from a commitment to process improvement, a deliberate phased implementation plan, and partnerships with technology vendors with deep security operations experience. 

SUBSCRIBE! Get the best of CSO delivered to your email inbox.