To coincide with an upcoming webinar, we recently presented guest Forrester Senior Analyst Joseph Blankenship with a series of questions about the current and predicted future state of Security Automation and Orchestration (SAO). Below are his responses to our questions and the Forrester view on the market.
How does SAO help security teams?
Security teams have long been challenged by the number of alerts they receive and by the lack of skilled security staff to address them. Forrester surveys indicate that 62% of enterprise security decision makers don’t have enough staff, and 65% state that they are challenged with finding employees with the right skills¹. Many teams lack programming and scripting skills, which hampers their efforts to gain efficiency.
As other technology domains have benefited greatly from automation, security has lagged, performing much of its work manually. Efforts at automating were limited to bits of custom script that was written ad hoc to perform a specified task. Because of this, teams have been slow to detect and respond to threats. SAO gives these teams the ability to automate security workflows, helping them reduce risk by:
- Gaining operational efficiency and increasing consistency
- Handling the high volume of alerts, leaving no alert unaddressed
- Guiding analysts on appropriate next steps and associating context
- Detecting and responding to threats faster
- Reducing attacker dwell time
Which teams are best suited for SAO? Which will see the most benefit?
Security teams with more mature processes will initially see the greatest benefits from SAO. These teams already have documented processes that more easily enable processes to be automated. By definition, process orchestration requires defined processes (it’s difficult to automate what you can’t define). Therefore, teams with documented processes will find it easier initially to map their processes to SAO tools. Over time however, SAO solutions will evolve so that security teams of all sizes and skill levels can benefit.
How must SAO solutions evolve for widespread adoption?
Current SAO tools are good at assisting teams with defined processes to address known threats. To achieve widespread adoption, SAO solutions will evolve to help guide less mature teams to define processes that work in their unique environments, walking them through the creation process. SAO tools will also need to provide guidance to less experienced analysts for incidents that currently lack procedures.
SAO tools must also integrate with the technology tools currently in use by their customers. Security decision makers are much more likely to choose tools that work with their current investments.
Ease of use will encourage adoption. Security is hard enough without making the technology designed to help difficult to use. SAO solutions that allow security professionals who don’t have strong coding skills to use them effectively will encourage adoption by teams that lack deep coding knowledge and experience. Being able to quickly add a new playbook or workflow will enable security teams to adapt the SAO solution to their changing environment as well.
The market is really focused on incident response automation. Will that change?
Incident response (IR) and investigation is a natural early use case for SAO. With its many moving parts and the need to access multiple systems to collect necessary data, speeding investigation and response has an immediate, measurable impact for security teams. There are, however, multiple additional use cases for SAO. Some of these include:
- Triaging alerts
- Hunting indicators of compromise (IOCs)
- Sharing intelligence
- Managing vulnerabilities
- Responding to threats
What should people look for in SAO solutions now?
Security leaders should look for SAO solutions that will fit well with their current staff and technology stack. If possible, let analysts use tools under consideration to gauge their comfort level and competency with the tools. Make sure a particular SAO solution integrates with your current technology as well as any technology under consideration for the future.
Check to see if the SAO vendor has an active user community and knowledge base. Security professionals are often good at helping each other solve problems by sharing ideas. User communities help to facilitate collaboration between people who are using the solution.
Some security teams will benefit from services to assist with the initial implementation. If processes aren’t documented or aren’t consistent, it may be necessary to bring in a service provider to help identify and develop use cases, configure the solution, train the staff, or build custom integrations to non-standard technology tools.
Learn more about the current and predicted future state of Security Automation and Orchestration during our live webinar on Thursday June 22, 2017. Phantom CEO Oliver Friedrichs and guest Forrester Senior Analyst Joseph Blankenship will present their perspectives and answer your questions live.
¹Source: Forrester Data Global Business Technographics Security Survey, 2016.