D3 recently sponsored the 2019 SANS Security Automation & SOC Integration Survey. The detailed survey compiled responses from 218 professionals involved in cybersecurity practices. The survey is an excellent resource that provides insight into how security automation is perceived, how organizations are using security automation, and how that is likely to change in the near future.
In the following section from the survey, the author discusses a finding in the study that the integration of SOC and IR teams correlated strongly with the adoption of automation in an organization. The excerpted section is below, followed by our thoughts on what the findings mean for security automation vendors and buyers.
Survey Excerpt: SOC’s Impact on Automation
The level of collaboration achieved between the security operations center (SOC) and IR teams appears to be a factor in organizations’ adoption of automation. Organizations that have fully integrated their IR team with their SOC show the greatest adoption of medium- or high-level automation.
How this dependency may affect future automation and integration plans remains unclear. Whereas 52% foresee no change in status during the next 12 months, 25% remain unsure. For the 23% who anticipate change, several respondents noted that they are in the midst of defining the problem.
A significant portion of SOC actions focus on finding and validating security incidents—activities that are also key to IR. Fully integrating the SOC and IR teams can contribute to the success of SOC automation. Consider addressing any cultural issues when starting to consider improving instrumentation—including working to improve relationships between the SOC and IR teams, and removing any silos that stand between these groups.
“More information-sharing in day-to-day business, not just during an incident [is needed]. Cross-access to specialized tools [and b]etter, more standardized policy, process and procedure documentation [are also needed] to make cross-training easier.”– Survey Respondent
What this Means for SOAR Vendors
As suggested in the excerpt, there is significant overlap between the conventional responsibilities of SOC and IR teams. If the SOC team is detecting incidents and the IR team is responding to incidents, it simply makes sense for those two groups to be as closely integrated as possible. As security orchestration, automation, and response (SOAR) tools become increasingly powerful, they are blurring the lines between detection and response, making integration even more important.
More than half of the survey respondents don’t anticipate their arrangement changing in the next year, so automation vendors should think about how they can enable collaboration between teams to increase adoption of automation tools.
D3 has always strived to support collaboration and break down silos in organizations, something that the survey mentions specifically. We achieve this through a number of characteristics of our SOAR platform. First is that D3 SOAR acts as a centralized hub for incident data and incident handling procedures. All historical incidents are stored alongside every IOC, past actions by analysts, data ingested from other tools, and contextual data like threat intelligence. D3’s role-based access controls mean that all important security personnel can view the appropriate amount of this data, even though it is all stored in a centralized database.
D3 also enables integration of teams through collaborative case management, instant messaging, task assignments, and automated notifications. Pretty much any data in D3 can be reported on, generating metrics and analytics that give visibility to all levels of the organization. Communication and visibility break down silos and give SOC and IR teams the tools and information they need to seamlessly work together.
We highly recommend reading the entire survey, where these ideas and more are explored using the responses of more than 200 real-world security pros. You can download the 2019 SANS Automation & Integration Survey here.