Why Incident Response Automation and Orchestration Are So Hot

Author: Jon Oltsik

I couldn’t attend the RSA Conference this year but many cybersecurity professionals and my ESG colleagues told me that incident response automation and orchestration ranked among the hottest topics in the halls of the Moscone Center, through the bar at the W hotel, and even at the teahouse on the garden at Yerba Buena.

Was this rhetoric just industry hype? Nope. This buzz is driven by the demand side rather than suppliers. In truth, cybersecurity professionals need immediate incident response (IR) help for several reasons:

1. IR is dominated by manual processes. Let’s face it, IR tasks like fetching data, tracking events, or collaborating with colleagues depend upon the organizational, communications, and technical skills of individuals within the security operations team. These manual processes ultimately get in the way of overall IR productivity. When asked: "Do you believe that your organization’s incident response efficiency and effectiveness are limited by the time and effort required for manual processes?" Fifty-two percent of cybersecurity professionals responded, “yes, significantly” while another 41% said, “yes, somewhat.” Furthermore, 27% of cybersecurity pros say they spend 50% or more of their IR time on manual processes.

2. IR is a dysfunctional team sport. The SOC team may be responsible for finding the fires, but it counts on IT operations to actually fight the fires. Unfortunately, this relationship isn’t always a finely tuned machine—one-third of cybersecurity professionals say that coordinating incident response activities between cybersecurity and IT operations teams is the top IR challenge at their organization.

3. IR shines a spotlight on the cybersecurity skills shortage. According to ESG research, 45% of organizations say they have a problematic shortage of cybersecurity skills in 2017. Furthermore, as part of a 2016 research study of cybersecurity professional careers done by ESG and the Information Systems Security Association (ISSA), 437 cybersec pros were asked to identify the areas of cybersecurity where their organizations had the biggest skills deficits. The top area cited (33%) was security analysis and investigations. If you have a security analysis and investigations skills shortage, IR is bound to suffer.

Let’s look at these issues in aggregate: Understaffed and under-skilled SOC teams depend upon key individuals and manual processes to get their jobs done. And when cybersecurity professionals detect something wrong, they don’t work well with the IT operations team to fix problems in an efficient manner. As they say down south, “that dog don’t hunt.”

Little wonder then, why CISOs are turning to IR automation and orchestration initiatives. A few years ago, this meant scripting, open source, and custom coding. What’s changed over the past few years however is greater support SOC workflows within SIEM tools (AlienVault, IBM QRadar, LogRhythm, McAfee, Splunk, etc.) and the rise of innovative incident response platforms (FireEye, Hexadite, Phantom, Resilient, Siemplify, ServiceNow, etc.).

CISOs are still assessing the scope of their IR problems and figuring out what to do first. Still, they are actively engaged and plan to do more—46% of cybersecurity professionals say that their organizations’ IR budgets will increase significantly this year while 42% claim that budgets will increase somewhat in 2017. For good reasons: A lot of these dollars will be targeted at IR automation and orchestration, while gluing the whole IR enchilada together through a security operations and analytics architecture (SOAPA). Thus, the demand-driven buzz at RSA was real this year—at least for IR automation and orchestration that is.

Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s cybersecurity service.