Why is incident response automation and orchestration so hot?


I couldn’t attend the RSA Conference this year, but many cybersecurity professionals and my ESG colleagues told me that incident response (IR) automation and orchestration was one of the hottest topics in the halls of the Moscone Center—through the bar at the W hotel and even at the teahouse on the garden at Yerba Buena.

Was this rhetoric just industry hype? Nope. This buzz is driven by the demand side rather than suppliers. In truth, cybersecurity professionals need immediate IR help for several reasons:

  1. IR is dominated by manual processes.
    Let’s face it, IR tasks such as fetching data, tracking events or collaborating with colleagues depend upon the organizational, communications and technical skills of individuals within the security operations team. These manual processes ultimately get in the way of overall IR productivity.
    In a recent research project, infosec pros were asked, ‘Do you believe that your organization’s incident response efficiency and effectiveness are limited by the time and effort required for manual processes?’ Fifty-two percent of cybersecurity professionals responded, “yes, significantly,” while another 41 percent said, “yes, somewhat.” Furthermore, 27 percent of cybersecurity pros say they spend 50 percent or more of their IR time on manual processes.
  1. IR is a dysfunctional team sport.
    The SOC team may be responsible for finding the fires, but it counts on IT operations to actually fight the fires. Unfortunately, this relationship isn’t always a finely tuned machine. One-third of cybersecurity professionals say coordinating IR activities between cybersecurity and IT operations teams is the top IR challenge at their organization.
  1. IR shines a spotlight on the cybersecurity skills shortage.
    According to ESG research, 45 percent of organizations say they have a “problematic shortage” of cybersecurity skills in 2017. Furthermore, as part of a 2016 research study of cybersecurity professional careers done by ESG and the Information Systems Security Association (ISSA), 437 cybersecurity professionals were asked to identify the areas of cybersecurity where their organizations had the biggest skills deficits. The top area cited (33 percent) was security analysis and investigations. If you have a security analysis and investigations skills shortage, IR is bound to suffer.

Let’s look at these issues in aggregate: Understaffed and under-skilled SOC teams depend on key individuals and manual processes to get their jobs done. And when cybersecurity professionals detect something wrong, they don’t work well with the IT operations team to fix problems in an efficient manner. As they say down south, “that dog don’t hunt.”

Read full story…