Security automation and orchestration brings sanity to incident response chaos

Security automation and orchestration (SAO) serves a niche market of large enterprises and MSSPs with finite SOC resources attempting to keep up with extreme levels of security alerts. Small and midsized businesses tend not to have the number of dedicated security practitioners to justify orchestrated workflows and automated playbooks. SAO helps SOC teams manage their responsibilities: automation reduces the labor effort by executing scripts to collect and organize evidence gathering from disparate sources. Enterprises report increased SOC workflow performance as staff can spend more time fixing problems. Orchestration defines the workflows necessary to investigate a threat and implement corrective responses. The sequence of remedial actions is important in efficiently closing gaps in security profiles, especially because the SOC coordinates with IT and networking groups. Security incidents that are not outright blocked by technology wind up being manually resolved at the SOC. SIEM systems record alerts, with ensuing requirements to investigate becoming the primary driver for SAO purchases. We also see SAO features arising in network traffic analytics, threat intelligence platforms, disclosure incident processes and compliance audit recommendations.

There are three primary SAO features that we find compelling: 1) organizing custom scripts used to interface with products in the security infrastructure into referenced playbooks, 2) integrating security workflows with IT, network and application operations – security requires IT to actually correct security faults on hosts or in the network and SAO can facilitate those hand-offs and 3) involving the security community in contributing shared playbook details that describe new threats and remedial actions allowing SOCs to independently control damage when every minute is critical.

It is not at all clear yet that SAO will become a vibrant, sustaining market segment. We think it is more likely that SAO will follow the user behavior analytics segment and devolve into features of SIEM and NTA products. In fact, SIEM vendor IBM has already acquired Resilient to pair with its SIEM QRadar product line, SIEM vendor Splunk has recently acquired Phantom and NTA vendor FireEye has purchased the assets of Invotas. This acquisition trend will likely continue throughout 2018.

We can foresee an opportunity to define an enterprise operations center that is shared between security, IT, network and cloud applications teams. Each of these functions has demands to process workflows to resolve events and alerts. It is difficult for us to see why security requirements are so special that SOCs need to purchase and administer their very own SAO products. SAO vendors that can also take positions in meeting IT and network requirements will find greater market opportunities.

SAO features terms that are not often found in a security technology world focused on trust, prevention, detection and visibility. SAO emphasizes reducing the amount of labor required to complete security tasks by automating wherever it can through technology and orchestrating activities in coordinated measurable workflows. Workflows define what steps SOCs should follow, and in what sequence, in clarifying the impact of a threat and implementing remediation measures. These define the SOC processes, with integration with IT and networking teams. For instance, a SOC may not close a security investigation until IT confirms relevant patches have been applied and confirmed by refreshed vulnerability scans.

Playbooks capture the steps required to complete an action and can be combined into cases to thoroughly investigate and remediate an incident. For example, in tracking an incident report an analyst may execute a chain of playbooks for isolating traffic by a given IP address from specific firewall logs, searching threat feeds for history of the IP address, and using destination addresses to consult endpoint EDR logs for compromised processes or user accounts.

Connectors are software programs required to interface with products to automate collection of information and possibly controlled responses. The technical infrastructure has a blend of firewalls, SIEMs, endpoints, directories, application logs, routers and the like that require development of connectors to use APIs and translate data formats.

We believe community resources for sharing of playbooks is a critical feature of SAO product sets. To illustrate, say a new phishing campaign runs through a business in about 15 minutes. It is likely that a colleague has seen the attack already and can share details of the phish and the countermeasures that worked for them. Sharing of playbooks can help SOC teams respond more quickly, with a reduced error rate.

Enterprise SOC teams should appreciate that there is no such thing as a free lunch when it comes to SAO. While SAO formalizes playbooks, workflows and connectors, it comes with an obligation to keep them up to date and accurate as the infrastructure evolves and threats proliferate.

Our quarterly Voice of The Enterprise Information Security research shows that large enterprises, those with more than 10,000 employees, should be the target market for SAO vendors. According to 2017 VoTE surveys, 68% of organizations with more than 10,000 employees have a SOC while only 32% of smaller organizations can say the same.

Security management represents roughly 21% of the security budget regardless of enterprise size, trailing network security and endpoint security (but just ahead of application security). In larger enterprises, not only are there line items in the budget for SOC products but those budgets are also expanding by about 15% in 2018.

Large enterprises meet SAO requirements for a SOC and budget allocations for SOC products, and the need to address alert fatigue also runs higher in large enterprises. The following table shows that SAO results map neatly into security performance metrics for processing alerts.

Response	Less than 10,000	More than 10,000
Security incidents resolved	25%	75%
Tickets resolved	45%	55%
Audit issues resolved	51%	49%
Project completion	60%	40%
Application availability	63%	37%
Lack of data breaches	68%	32%
Time to recovery	70%	30%
We don't use metrics	90%	10%

The following vendor list is by no means exhaustive but is meant to illustrate the market.

Most, such as AlienVault, LogRhythm, McAfee, Cisco and Fortinet have built SAO features into their products. Five major vendors have made statements via acquisitions:

• FireEye incorporates acquired Invotas capability into its Helix management platform. Helix connects the supply of FireEye network, endpoint and email security alerts with demand to reduce the risks to customer business from security attacks.
  
• IBM Resilient extends the capabilities of QRadar, UBA and Watson analytics for customers. Resilient also empowers IBM incident response services for enterprises requiring expertise to help work through security emergencies.
  
• Microsoft acquired Hexadite in 2017 and now bundles the features into Windows Defender ATP. With Hexadite, Microsoft can now help customers fix detected security problems.
  
• Rapid7 markets Komand automation and orchestration technology to complement its Insight product line (including the InsightIDR SIEM/UBA), InsightVM vulnerability management and Metasploit penetration testing.
  
• Splunk acquired Phantom to integrate SAO customization capabilities into Splunk investigation and search features, extend playbooks and workflows into IT operations and contribute response team feedback into machine-learning analytic algorithms.

• Demisto implements DBot, a Slack interface to the SOC community to quickly get information on threats and playbooks. The Demisto Enterprise product was recently announced as the technology behind RSA NetWitness Orchestrator.
  
• LogicHub focuses on reducing the mean time to recovery from an incident. ThreatGPS helps enterprises manage the risks of using cloud applications such as CloudTrail, GitHub and Salesforce.
  
• Panaseer provides an analysis platform of IT devices data, security operations status, and application, device or user views. The technology confirms when SAO actions are satisfactorily completed, with resultant feedback helping security teams to make better decisions.
  
• Resolve Systems blends security, IT, network and help desk incident response processes into a single cohesive management system. The Resolve Platform, in addition to automation features, allows a business to integrate response operations for coordinated activity across the organization.
  
• Respond Software believes SOCs already have a lot of rich data coming from deployed IDS/IPS products if they could only process the alerts efficiently. Respond Analyst emulates level 1 SOC analysts to help SOCs get more value out of IDS/IPS.
  
• Siemplify offers a graphical interface that allows SOC teams to build playbooks without having to develop scripts or be engineers. Its ThreatNexus product helps enterprises and MSSPs find the alerts that they are best positioned to remediate.
  
• Swimlane claims prospects frequently process fewer than 1% of received security alerts per day. Swimlane is introducing an application hub to facilitate the sharing of SAO applets across its user base.
  
• ThreatQuotient is a threat intelligence platform rather than a classic SAO product, with the key difference that it starts a case with threat information rather than an alert. ThreatQuotient Investigations helps SOC experts to understand and remediate specific prioritized threats.
  
• Uplevel Security is not a true SAO vendor in that it markets graphical relationships of data as opposed to playbooks, workflows and connectors. However, Uplevel is finding traction with SOC teams looking to easily identify patterns to eliminate false positives.
  

SAO features are becoming essential in NTA products. Awake Security, Corelight, Darktrace, ExtraHop, Gigamon Jask, SecBI and Vectra Networks all have introduced capabilities to help SOC teams process problems detected from network traffic.

• ProtectWise captures network traffic to help security teams detect and remediate security events. The ProtectWise Grid records traffic, enabling SOC teams to search communications to automate investigations and reduce the time required to process alerts.
  
• Raytheon integrates the CyberSponse security platform into its SOC services to provide SAO capabilities aimed at faster detection of threats and shorter response times for its managed services customers.
  
• SecureWorks delivers managed incident response and orchestration services through its Counter Threat Platform. The Secureworks Security Operations Services include planning for compromises and efficient remediation of incidents.
  
• ServiceNow is an IT service provider getting strong push to compete in MSSP markets. ServiceNow Security Operations services spring from IT operations roots to help organizations identify and manage security risks.
  
• Verizon acquired Niddel to incorporate machine-learning-based automated threat hunting capabilities into its managed security services offerings, expanding on its vision to deliver automated and intelligence-driven services.
  

SAO fulfills a tangible need for SOC teams in large enterprises tasked with processing more alerts in a complex infrastructure environment. While it is difficult to rationalize why security needs its own workflow and playbook system, we realize that organizational issues can raise hurdles to integrating with existing IT and network operating center systems. SAO products that embrace IT and networking requirements may find greater market opportunities as enterprises integrate operations.

The large infrastructure SIEM and NTA vendors have decided advantages in the market. Both segments are sources of alerts, are incented to make alert processing more valuable and have existing customer relationships. The privately held vendors have interesting technology as they compete for attention. We expect to see SIEM and NTA vendors conduct a vibrant acquisition hunting season for SAO technology in 2018.

Automating the gathering of evidence can only help SOC performance. Time-consuming tasks such as checking threat feeds to identify a threat, checking IP reputations for suspicious domains, resolving IP addresses and user accounts, and confirming relevant network traffic can all be automated. However, operational expenses affect SAO scale at enterprise levels because automation requires custom connectors to be developed and supported and playbooks require update maintenance to assure accuracy as the IT infrastructure transforms.

The result of a security incident investigation frequently results in requests for IT to issue patches or networking to agree to firewall rules changes. SAO presents a chance to enhance coordination between security, IT and networking teams. Security alert and incident handling can be viewed as special use cases for established IT operations requirements, and the target market of large enterprises may opt to leverage existing systems rather than security-only technology.