Automation Answers Security Skills Shortage

Hackers and analysts do battle with tools and techniques that are constantly evolving. Cybersecurity is an arms race, but it's not a fair one: the bad guys get endless "do overs" during the attack, yet a single InfoSec mistake could invite a breach. This burden of consistency is probably why the good guys are losing. However, something new is coming over the horizon that could even the score.

If ever there had been a day when software automatically stopped breaches, that era is gone. Attackers continually alter malware. Complete certainty in threat detection is only possible for simple attacks. Advanced detection technologies are much more sensitive and require a partnership with humans that can quickly alert analysts to "Take a look at this."

These human practitioners examining alerts represent a weakness. Outlier Security Founder and CTO Greg Hoglund compares them to the weary eyed night watchmen. "Analysts are tired of the doing the same repetitious task," he explains. "They have too much data bombarding them. It doesn't mean you can remove the human from the loop, but it does mean you can make the humans you have more productive."

Today, everyone uses Security Information and Event Management (SIEM) technology to consolidate alerts from their detection products into a single list of priority actions. Yet no aggregation technologies have arisen to organize the response to these alerts. These response activities are most of the work within a SOC, and employ myriad products including antivirus, sandboxes, and forensic tools like Volatility and EnCase.

Introducing Security Orchestration, Automation and Response (SOAR)
SOAR solutions really represent the first effort to act as a quarterback, guiding response activities across many products. Orchestration and automation vendors accomplish this by building connectors against each security product's APIs. Take Phantom, for example. The SOAR vendor boasts third-party apps for "over 670+ APIs across more than 135 security technologies," according to Chris Simmons, the company's director of product marketing.

SOAR orchestrates your many products inside a platform that encompasses:

To this final point, Rishi Bhargava, CEO of Demisto, describes his company's product as a collaboration platform for "enhanced learning among analysts." The vision is to replicate what your most skilled practitioners do, and walk junior analysts through these effective playbooks. Yet some take it a step further than humans working together. Bhargava adds that Demisto's machine learning "enables analysts to escalate their knowledge levels."

SOAR market growth expected
Big industry players are banking on SOAR to be a big deal, with few naysayers. Gartner predicts, "A large percentage of the security budget will shift to SOAR." FireEye, Rapid7 and IBM have all purchased SOAR products. Mega IT ticketing company ServiceNow has released an orchestration and automation offering. SIEM giant Splunk has also stepped into the arena. Across the industry, momentum is swelling. Meet the new players
Innovation usually arrives at the hands of startups, which often operate better autonomously than when pushing against an acquiring company's inertia. Despite the entry of large vendors, history shows that at least one new brand typically arises in the category they founded. These four US-based startups focus exclusively on SOAR, and most of them date back to the birth of this category in 2014 or 2015:

How much will automation impact the SOC?
SIEMs have been the main product that SOCs keep on the big screen to monitor overall security health -- they get more of InfoSec's "eyeball time" than any other product. Yet in the end they only produce a "To Do" list. Responses to these alerts encompass most of the SOC's activities. This begs the question, could SOAR products be the first category to steal the SIEM's eyeball time?

Bhargava believes so. "That is absolutely happening," he argues. "The real investigation work is starting to happen in the automation platforms, and I absolutely agree that we will get more." Not everyone is optimistic about slaying the goliaths. Certainly acquisition is in store for some of SOAR's founding startups. Loomis comments: "I think the future is that SIEMs will acquire a SOAR capability or build such an offering within five years."

No matter who brings automation to the people, it will fundamentally change the way SOCs operate.

Related posts:

— Paul Shomo is the Sr. Technical Manager, 3rd Party Technologies at OpenText.