The security automation industry is still in its infancy,
but there are some promising technologies
The security automation industry is still in its infancy, with most vendors just a year or two old, but there are already some promising technologies that enterprises can put to use — if they have already laid the required ground work.
The main problem that security automation is designed to address is that there are so many attack attempts coming in, so quickly, that human beings just can’t keep up.
Then there’s the enormous amounts of money cybercriminals are bringing in from ransomware and other attacks that allows them to invest in new kinds of attacks, the threats posed by nation-states, and the massive staffing shortage.
It’s a perfect storm.
“Even the biggest companies can’t keep up,” said Jon Oltsik, senior principal analyst at Enterprise Strategy Group.
According to a survey the research firm conducted last fall, 91 percent of companies said that the time and effort required for manual processes limits their incident response effectiveness, and the same number are actively trying to increase their staffs.
And 62 percent already have automated incident response processes in place, and another 35 percent are beginning automation and orchestration projects or plan to do so in the next 12 to 18 months.
“Two years ago, nobody knew about this technology,” said Oltsik. “Last year, I saw it a lot more. Now we’re seeing budget line items for it, and we also see a lot of venture capitalist investment in this space as well.”
He estimates the market size of the security automation and orchestration sector to be between $100 million and $200 million, with several small vendors in the $10 million to $20 million in sales range.
Security automation, could, in theory, allow companies to investigate incoming threats and respond to them immediately, without human intervention — at least, for the most common, labor-intensive types of attacks. Security analysts would then be freed up to focus on the more complex types of attacks.
There have been some recent signs that this may be possible.
“We’ve had better detection accuracy,” said Oltsik. “The false positive rates are lower. And we’re using the cloud more, which is throwing more processing power at some of these things.”
Most of the progress up until now has been in preventing attackers from entering the enterprise in the first place. Anti malware systems, next-generation firewalls, and other systems that spot threat and block them.
Most recently, threat intelligence comes with scoring systems, said Oltsik. That allows companies to add more automation for threats that have a very high likelihood of being very dangerous, and handle the questionable cases with the old manual processes.
Some of the larger companies are also deploying orchestration platforms. These allow for automated processes that involve multiple systems.
“But these types of incidence response platforms are limited right now to the elite organizations, the Fortune 500 companies,” he said.
In addition, companies also write scripts to create their own automated processes from scratch, but this requires some technical expertise.
Whose automating what
According to the most recent SANS Institute incident response survey, most processes are still very manual.
The most automated process, with 50 percent of respondents saying they had some degree of automation, was for remotely deploying custom content or signatures from security vendors.
In second place, at 49 percent, was blocking command and control to malicious IP addresses, followed by removing rogue files, at 47 percent.
Processes least likely to be automated included isolating infected machines from the network during remediation, and shutting down systems and taking them offline.
But, overall, security automation is about 10 years behind the automation of other technology processes, said Ariel Tseitlin, partner at Foster City, Calif.-based investment firm Scale Venture Partners.
“But we’ve seen the tremendous effect of automation in IT, and we’re gong to see that in security,” he said.
The prevention part of the security puzzle is the most automated, he said. Then, in the past two years, detection has seen an enormous amount of investment.
Now, there’s a lot of work being done on the boundary between detection and response, where companies need to figure out which of the issues they’ve spotted are real problems that need to be investigated.
“Then, on the incident response side, there’s an enormous amount of work that is being done manually today,” he said. “That’s where I think a lot of the value will come over the next couple of years.”
However, all the products available today are still in their early stages, he said, and there are no clear established leaders in this space.
It makes sense to automate detection, but fully automating the remediation process is risky, said Jay Leek, managing director at ClearSky Cyber Security, a cybersecurity consulting firm.
“I would always recommend, at least today, putting a person between these two different divisions,” he said. “You don’t want to have false positives here.”
The individual steps of the remediation process could be automated, he said, just as long as there’s a human being pushing the button to get it started.
“But i don’t like the idea of automating the whole end-to-end process today,” he said. “It’s too immature and ripe for false positives. The last thing you want to do is create some sort of business disruption.”
There are vendors in the market who are already promising to automate the entire process, including automatically re-imaging end point devices and sending users off to anti-phishing training, said Nathan Wenzler, chief security strategist at AsTech Consulting.
“But at the end of the day, the reality is that anyone who’s been trying to do that at scale, that hasn’t really worked well,” he said. “They either get so many false positives, or so many false negatives. You get annoyed users, especially if you do get a system that’s re-imaged and there’s nothing wrong, or at bad times.”
Consolidation and evolution
Soon, security automation may become ever more widely available and easier to use. Major vendors have been buying up small orchestration companies and integrating their features into their platforms, and SIEM vendors have been adding automation and orchestration capabilities to their platforms.
Vendors are also starting to offer pre-built routines and run books so that companies don’t have to create their remediation processes from scratch.
One positive aspect of the way automation technology is evolving is that we don’t have vendor stacks or technology silos, where products from one group of companies don’t play well with others, according to Joseph Blankenship, analyst at Forrester Research.
That’s happened before, in other areas of IT. In security, however, enterprise environments tend to be very heterogeneous.
“It’s common for enterprises to have 20, 50 or more different vendors,” he said.
As a result, vendors are motivated to work well together, and limitations on interoperability aren’t likely to be accepted by customers, he said.
Getting ready for automation
For companies looking to deploy security automation technology, it’s not enough to establish whether the vendor’s product is ready for prime time.
The company has to be ready, as well, said Blankenship.
“It’s definitely not a buy it and plug it in scenario,” he said. “There’s definitely ground work that needs to be done. If you plug bad data into an automated system, all you’re going to do is make bad decisions faster.”
In addition, many companies don’t actually know what their processes are, and may not yet have well-defined playbooks, he said.
“Many have analysts that each do their own things as far as how they handle different investigations,” he said. “In order to automate these things, you have to have standardization.”
May 2, 2017