D3 recently sponsored the 2019 SANS Security Automation & SOC Integration Survey. The detailed survey compiled responses from 218 professionals involved in cybersecurity practices. The survey is an excellent resource that provides insight into how security automation is perceived, how organizations are using security automation, and how that is likely to change in the near future.
The following sections cover five misconceptions about security automation that SANS found were not supported by the survey data. We have excerpted sections from the report and added our own comments about how we approach these subjects at D3.
Misconception #1: Anything can be automated.
SANS Report: Integration requirements across the IT stack today are numerous, broad and complex, making it nearly impossible for operational teams to develop the unique plug-ins needed to orchestrate tasks across all the endpoints and security tools in place within their infrastructure.
Specifically, the IoT revolution limits the capability to provide enterprise automation, given the diversity of endpoints that inhibit interoperability. Given the rapid explosion of these endpoints, there is a need for security orchestration, automation and response (SOAR) platforms that can handle the integrations and the numbers. Don’t overlook the vulnerabilities these devices and sensors introduce!
D3: The author of the report makes a great point about how SOAR can solve the problem of too many tools and endpoints in complex environments. D3 SOAR integrates with more than 200 tools out-of-the-box, with support for easy custom integrations.
Misconception #2: Automation will replace people with machines or robots.
SANS Report: Automation allows security experts to focus on more important aspects of the security life cycle. In this survey, automation doesn’t appear to negatively affect staffing. For the most part, respondents see automation as allowing them to explore new areas and to concentrate on more strategic endeavors.
D3: This is a point we’ve often made about incident response automation, or SOAR in general. It’s not about getting rid of your security people; it’s about freeing up those people to do interesting work that actually requires their expertise, instead of chasing after meaningless alerts all day.
Misconception #3: Existing tools can be easily integrated to automate anything.
SANS Report: The integration of disparate tools and technologies to achieve crucial interoperability appears to be a more pressing concern for respondents than staffing. This can create risk and possible uncertainty in budgeting for automation, as the specific requirements for interoperability are not well-understood.
Taxonomies are typically applied to data within security technology—this is a much larger issue than it is for automation alone, and there is no standardization in sight. The end customers interested in automation need to know that the tools they use can typically be made to work regardless of the taxonomy, and other complexities around integration—but the benefit may not be worth the effort, and there are solutions with offerings that can help alleviate some of the pain of integration.
D3: The last thing a prospective SOAR buyer wants is a system that wastes more time and budget than it saves. We’ve tried to minimize the difficulties of interoperability by pre-building integrations, so they require no scripting from users. We also don’t charge for any actions within the system, so users’ budgets are predictable and don’t run the risk of skyrocketing when a cyber attack hits. If you’re a evaluating SOAR, check out our must-read SOAR Buyer’s Guide.
Misconception #4: Automation is easy to measure.
SANS Report: Although the use of automation for response is still in the planning stages at most organizations, respondents feel positive about its ability to enhance the performance of SecOps and IR teams, such as improving alert monitoring/prioritization and eliminating alert fatigue. Organizations do, however, need to develop better metrics to visualize and evaluate automation efforts.
D3: Metrics are hugely important, as the author of the report hints at here, because they can quantify the return on an organization’s investment in automation. Having a SOAR platform that acts as a central hub for all security data is a great way to produce comprehensive SOAR metrics.
Misconception #5: Automation is quick to implement.
SANS Report: Actually, automation takes a tremendous amount of effort to arrive at the point where it makes things look easy. Don’t underestimate the resources needed to define the processes—in the light of more effective tools—and close the semantic gaps in the data gathered. Effective automation depends on the integration of people, process and technology. Automation of security processes will face bumps in the road—bumps that organizations can overcome by reaching out to other industry sectors (such as document management) that have embraced automation across diverse platforms and disparate technologies to understand and appropriately apply the “lessons learned.”
D3: It’s true: organizations shouldn’t expect to just flip a switch and automate their entire security infrastructure. Going in with a solid plan and with expert support from your vendors is critical. Check out our Before You SOAR whitepaper for tips on how to implement security automation.
We highly recommend reading the entire survey, where these ideas and more are explored using the responses of more than 200 real-world security pros. You can download the 2019 SANS Automation & Integration Survey here.