Security teams turn to automation to tackle avalanche of alerts
High numbers of alerts and the resources needed to deal with them are causing problems for security teams and leading them to turn to Security Orchestration, Automation and Response (SOAR) tools in order to cope.
A new report from security automation specialist Demisto finds teams are being inundated with more than 174,000 alerts every week and security teams are only able to review and respond to around 12,000 of them.
It also reveals that it takes an average of eight months to train security analysts to be effective, yet a quarter of these professionals change organizations within two years. Around 79 percent of respondents feel that they don't have enough people in their security operations center, and as a result, have an average 4.35 days as their mean time to respond for resolving incidents.
"Today's business landscape is a balancing act between technological progression and security. Workplace changes and technical innovations have made it easier to do business, but securing these diverse advances is an enormous task that falls upon overworked security teams," says Rishi Bhargava, co-founder of Demisto. "We’ve seen plenty of research that highlights the unending growth in security alerts, a widening cyber security skills gap, and the ensuing fatigue that is heaped upon understaffed security teams. That’s why we conducted this study -- to dig deeper into these issues, their manifestations, as well as possible solutions. Our results produced captivating insights into the state of SOAR in businesses of all sizes."
The report also reveals a lack of standardization, 75 percent of respondents find working with multiple security tools to be fairly or very challenging, and nearly 42 percent of respondents say that they don't have a system in place to measure incident response metrics. More than 50 percent of respondents state that they either don't have process playbooks in place or that the playbooks are rarely updated after initial implementation.
It seems that SOAR is ready to soar with 70 percent of respondents saying that SOAR tools would be beneficial for automating response. 62 percent of respondents cite threat hunting as an expected benefit of SOAR. Ticketing platforms are used by 49.8 percent to document incident response actions. But since ticketing platforms are designed to be 'static' and capture moment-in-time comments and flows, they prevent the dynamic, fast workflow changes that are necessary in the face of sophisticated attacks. SOAR platforms can and should be capable of both integrating with third-party ticketing tools, as well as providing their own, more modular and flexible case management that's better suited to security use cases.
You can find out more in the full State of SOAR Report available from the Demisto website.