With the global cybersecurity skills shortage hanging over them, CISOs are turning toward security automation and orchestration technologies to improve staff productivity. This is happening faster and wider than most people realize. According to ESG research, 19% of enterprise organizations have already deployed technologies for security automation and orchestration extensively, 39% have done so on a limited basis, and 26% are engaged in a project to automate/orchestrate security operations.
Why are folks doing this? ESG asked survey respondents (i.e., 412 cybersecurity and IT professionals) to identify their organization’s priorities for security automation and orchestration. The top selections were as follows:
- 35% want to use security automation/orchestration technology to integrate external threat intelligence with internal security data collection and analysis. It’s natural to query these two sources as part of security investigations but this was always a manual process in the past. The data suggests that organizations want to use security automation/orchestration tools to do the heavy lifting, streamlining the investigations workflow.
- 30% want to use security automation/orchestration technology to add functionality on top of existing tools. Typically, this functionality is centered on orchestrating workflows as part of things like security investigations, incident response, or remediation tasks.
- 29% want to use security automation/orchestration technology to automate basic remediation tasks. Things like automatically generating new firewall rules upon receiving a list of IoCs.
- 28% want to use security automation/orchestration technology to correlate and contextualize data using the output of 2 or more tools. Think of a multitude of threat detection tools spitting out reports or generating alerts. Security pros want to use security automation/orchestration to blend these outputs and get a more holistic picture of security incidents.
- 22% want to use security automation/orchestration technology to integrate security and IT operations tools. This can allow security analysts to access asset databases, CMDBs, trouble ticketing systems, etc.). Clearly, this requirement is why vendors like Resolve Systems and ServiceNow have jumped into this space.
CISOs look at security operations like Henry Ford looked at building cars. They know that manual processes can’t scale to meet demand, so they are using new technologies to mechanize operations. Ford used the production line, CISOs are using security automation and orchestration tools.
It’s still early and the market remains confusing to many infosec pros. Should automation and orchestration be aligned with their SIEM? Should it be tightly integrated with IT operations? Should they develop their own software or kick the tires with commercial vendors like Demisto, Phantom, or Swimlane? Alternatively, should they go for security automation/orchestration features that come with new analytics or operations tools from vendors like Exabeam, Siemplify, or ThreatConnect?
These are difficult choices but ESG has observed that successful security automation/orchestration results come from a commitment to process improvement, a deliberate phased implementation plan, and partnerships with technology vendors with deep security operations experience.