By Rishi Bhargava
Today’s business landscape is a delicate balancing act between technological advancement and security. Workplace changes and technological innovations have made it easier to do business and live our lives, but securing these manifold developments is a mammoth task that falls upon already overworked security teams.
There is already a wealth of research that highlights the unending growth in security alerts, a widening security skills gap, and the ensuing fatigue that is heaped upon understaffed security teams. The 2018 State of SOAR report is a large study designed to delve deeper into these issues, their manifestations, and possible solutions. The results yielded fascinating insights into the state of cybersecurity in businesses of all sizes.
Demisto sponsored this independent, third-party study conducted with security professionals working for companies ranging from 500-20,000 employees. Approximately 57 percent of respondents were management level employees, while 43 percent were individual contributors. Nearly 85 percent of companies were in North America, with the rest residing from EMEA, LATAM, and APAC.
In this second annual report, Demisto shifted the focus from incident response towards Security Orchestration, Automation, and Response (SOAR). Incident response focuses primarily on addressing issues after they have been identified. However, an incident’s lifecycle involves many more stages: aggregation, enrichment, correlation, and investigation being some of them. SOAR, unlike incident response, addresses all these stages and more. The building blocks that make up SOAR are:
- Orchestration refers to the act of integrating disparate technologies, usually through workflows, so that they can function together. This means using security specific and non-security specific technologies simultaneously in a way that eases coordination.
- Automation refers to the process of machines executing tasks hitherto performed by humans. In the context of SOAR, automation is ideally seen as human enhancement and not human replacement. Automation of repeatable, low-level tasks acts in concert with human decision-making for overall acceleration of incident investigations.
- Incident management and the response is still a crucial element in SOAR. Fundamentally, SOAR seeks to foster a comprehensive, end-to-end understanding of incidents by security teams, resulting in a better, more informed response.
- Dashboards and reports form a critical part of SOAR. One of the ways to achieve unified response is by providing data visualizations where incidents can be easily seen, correlated, triaged, documented, and measured.
The development of SOAR as a cybersecurity practice has been driven chiefly by the shortcomings of conventional tactics:
- Staff Shortage: There continues to be a sizable demand-supply gap in terms of security personnel. To meet this challenge, organizations are searching for fields where automation and standardization can help their existing employees work better and faster.
- Unattended Alerts: The sheer volume of alerts far outpaces the security team’s capacity to examine them. Consequently, serious threats can be left unaddressed because security teams are too busy wading through the sea of events on their screens.
- A Paucity of Proactivity: Since security teams are so busy dealing with day-to-day alert prioritization and response, they don’t have time to proactively hunt for threats in their environment before it’s too late. This inability to read early warning signs results in a vicious cycle that leads to even more alerts being generated, usually after it’s too late.
- Lack of Central Context: The process of determining if an alert constitutes a serious threat requires cross-referencing multiple data sources for complete context. While a large number of security tools provide unique threat insights, teams find it tough to collate and correlate intelligence at a central location, leading to variance in investigation quality.
Alerts Continue to rising
The research found that security teams review over 12,000 alerts per week on average. The chief sources for this alert fatigue were a proliferation of security tools (46% of respondents stated that their security tools generated too many alerts) and a shortage of experienced analysts (79% of respondents highlighted ‘not enough people’ as a key SOC challenge). A direct outcome of rising alert volumes was felt in high MTTR (Mean Time to Respond), with research finding that it took an average of 4.35 days to resolve an incident.
Organizations continue to face challenges in hiring, training and retaining security personnel. The survey found that it took an average of 8 months to train new security analysts; despite this, a quarter of employees were likely to end up leaving within 2 years. In this scenario, SOAR tools should aim to fill personnel gaps and make existing analysts’ jobs easier and more fruitful.
Piecemeal Processes and Measurement
A direct consequence of rising alerts and scarce resources is that security teams are too busy responding to incidents to find time for strategic process measurement and improvement. Close to 42% of respondents cited that they didn’t have a system in place to measure IR metrics. Over 50% of respondents stated that they either did not have process playbooks in place or that the playbooks were rarely updated after initial implementation.
Willingness to Automate
One of the key findings from the research was an increase in the number of respondents who indicated a strong ‘readiness to automate’. Besides the growing market validation of automation, this increase in willingness is likely connected to the fact that all four major security challenges revealed by research participants were related to human capital shortages.
It’s Threat Hunting Time
Research respondents saw SOAR helping with both proactive and reactive spheres of their day-to-day operations. Around 62% of respondents cited threat hunting as an expected benefit of SOAR (specifically automation). SOAR tools have a unique capability combination: they’re able to ingest threat data from multiple sources, and they’re able to execute automated playbooks that rapidly check for these threats across user environments. When executed correctly, threat hunting and SOAR work for a hand in glove.
Multi-faceted SOAR Value
The survey found that respondents understood the value of SOAR and estimated that it could help across a range of issues. The major expected benefits of SOAR were in reducing false positives, prioritizing incidents after risk determination, coordinating actions across security tools, and automating repeatable response actions.
Security teams are plagued by challenges that can be attributed to two main drivers – rising alerts and scarce resources. Rising alerts lead to high false positives, fragmented response processes, and a time crunch that prevents measurement and improvement. Scarce resources make it difficult to effectively hire, train, and retain security analysts as well as extract optimal value from existing security investments.
SOAR tools can help solder in these chinks in a SOC’s armor. By unifying and automating actions across security products in structured workflows, SOAR tools can enable repeatable, a faster incident response that frees up analyst time for measurement and improvement. Security teams expect SOAR tool applications in threat hunting, incident response, and investigation, covering the entire threat lifecycle.
About the Author
Rishi Bhargava is Co-founder and VP, Marketing for Demisto, a cyber security startup with the mission to make security operations – “faster, leaner and smarter”. Prior to founding Demisto, Rishi was Vice President and General Manager of the Software Defined Datacenter Group at Intel Security. A visionary and technology enthusiast, he was responsible for delivering Intel integrated Security Solutions for datacenters. Before Intel, Rishi was Vice President of Product Management for Datacenter and Server security products at McAfee, now part of Intel Security. As an intrapreneur at McAfee, he launched multiple products to establish McAfee leadership in risk & compliance, virtualization, and cloud security. Rishi joined McAfee by way of acquisition in 2009 (Solidcore, Enterprise Security Startup). At Solidcore, he was responsible for Product Management and Strategy. As one of the early employees and member of the leadership team, he was instrumental in defining the company’s product strategy and growing the business; Rishi has over a dozen patents in the area of Computer Security. He holds a B. S. in Computer Science from Indian Institute of Technology, New Delhi and a Masters in Computer Science from University of Southern California, Los Angeles. Rishi is passionate about new technologies and industry trends and serves as an active advisor to multiple startups in silicon valley and India.