It’s the security circle of life. New threats breed new security technologies and services. Security budgets continue to outpace the prior year’s. Gartner research estimates security spending will exceed $90 Billion in 2017. Expenditures have never been greater, and the rate of growth isn’t slowing down.
Despite devoting more of our resources – both technology budgets and human capital – we still struggle to keep up; a failure to make decisions and take action despite having more information than ever before.
The reasons why are perhaps as complicated as the threats we’re working to defend against.
We don’t always take the best course of action, or any action at all. A fact that is especially true in cases when we aren’t sure of what to do – around on-third of the time according to recent SANS data. Even when we do know what to do, SANS data shows that around two-thirds of the time we still struggle to execute well. Paralysis sets in. For instance, we simply can’t keep up with the volume of attacks. A good analyst can handle 10 – 12 issues in a day. Attackers don’t meter their approach unfortunately. Bursts of attack activity can result in volume that simply can’t be handled. Overwhelmed, the team triages what it can address with the rest wreaking havoc on the organization.
Even when the volume is manageable, political issues can slow MTTR (Mean Time to Resolution). Asking the Exchange Admin to pull a suspected phishing email from the server for further analysis can triple response times or even worse. And sometimes we just make mistakes. Inexperienced analysts aren’t well versed in the process, or experienced analysts skip steps thinking they know a better approach. It’s the age old challenge of making the human element in the process – essential but not always reliable — quicker and more effective.
The emergence of Security Automation and Orchestration platforms is helping organizations address the challenge. Early adopters have proven that automated investigation and enrichment can help to improve MTTR and ensure that events are handled consistently – the same way every time.
Security Automation and Orchestration platforms rely on established processes. The most successful deployments are based on SOPs (Standard Operating Procedures) that analysts have encoded into the platform. When an organization is dealing with known attack patterns, automation can and is helping. When it comes to the unknown, the results aren’t as certain.
If a process is ill defined or doesn’t exist, automation is futile. It’s often said, “you can’t manage what you don’t measure.” The corollary is, “you can’t automate what you don’t know”.
Despite being one of the hottest new technologies in the security industry and demonstrating an impressive return on investment in early deployments, will we ever fully realize the potential of security automation and orchestration when we’re dependent on humans to guide automation?
Security Automation and Orchestration platforms must evolve to guide the analyst. Technologies like reinforcement learning are already showing promising results in addressing the “known unknowns”; those cases when we know about the threat, but aren’t sure how to respond.
The same advancements also enable Security Automation and Orchestration platforms to serve a broader community. Advanced SOC teams in mature organizations are driving widespread adoption of Security Automation and Orchestration platforms today. Platforms that provide COA (Course of Action) recommendations will bring the technology to the masses who stand to benefit even more.
This is not about automating people out of security management. Humans are an essential component in our war against cyber threats, but we must mitigate weaknesses in speed and accuracy to realize the full benefit of the billions being spent on security technology.
Founder & CEO