There is a distinct hunger within industry for greater cybersecurity automation, but there remains widespread perception among security professionals that they lack the personnel, documentation and organizational structure to pull off even fundamental threat hunting activities.
A new survey of 388 U.S. and U.K. information technology and security professionals from Enterprise Strategy Group finds that “more telemetry is generally desired, but correlation and analysis is a heavy lift” for many organizations. The survey was also underwritten by Respond-Software, a security automation company recently acquired by threat intelligence giant FireEye.
“Most organizations can see value in combining threat data from multiple threat vectors to provide context and accelerate detection and response; however, most lack the expertise and tools to correlate data, often leading to the reactive elimination of point threats without understanding broad attack campaigns,” wrote Dave Gruber and Jon Oltsik, both analysts at ESG.
When asked where they are focusing their efforts around threat detection and response, the top three responses provided were improving detection of advanced threats (34 percent), automating remediation activity with as little human involvement as possible (33 percent) and improving the mean response time for threats.
But the other responses also indicate that many companies are ingesting so much data that they often have trouble processing them or prioritizing which treats to respond to first, while others appear to struggle getting context around more sophisticated attacks. A common complaint among security professionals is that they are inundated with security information and event management (SIEM) alerts on a daily basis and don’t have the time or manpower to separate the wheat from the chaff.
When asked what new automation capabilities they found most appealing, the most popular answer given was simplifying visualization of how complex attacks progress through their kill chain (42 percent), followed by advanced analytics (38 percent), indicating that organizations are starving for more context around their threat data that can help them map out mitigation and remediation activities.
“Simply stated, SOC teams need better threat detection and response efficacy, especially as it relates to unknown threats that move laterally across networks over time,” the authors write.
As SC Media has reported, while many companies view automation as an easy means to reduce workloads or headcount, security vendors say technologies like SIEM, SOAR and other tools require a tremendous amount of work and structure on the front end to integrate different internal and external data streams, categorize and label information and document processes that must all feed into repeatable algorithm for automation to yield these sought after efficiencies.
In response to this challenge, threat intelligence firms are increasingly pitching their security platforms as one-stop shops that can do much of that early-stage legwork and integration.
“Today, the security skills gap is most pronounced on the front lines — especially the monitoring and triage of security-related events and alerts. Security analysts are asked to review a mountain of alerts and data from a diverse variety of security controls — from a host of different vendors — all day, every day,” wrote Phil Montgomery, FireEye’s senior vice president for solution and product marketing last week while announcing the purchase of Respond-Software. “To address this, most security programs are forced to add more security analysts to perform the real-time monitoring of largely siloed alerts, and make judgment calls on whether to act. Alert monitoring is limited, error-prone, costly, and ultimately untenable as humans can’t scale to the increasing volume of attacks.”