Labor costs of employees and contractors will represent 40% of predicted security budgets in 2019, according to 451 Research's Voice of The Enterprise market surveys. This reflects an increasing emphasis on managing the growing supply of security alerts, as well as recognizing the necessity of human experts for making incident detection and response decisions. Security operations centers (SOCs) manage the business of security – maintaining a reliable security infrastructure, sorting through critical informational events and alerts, and working across the IT organization to fix security problems.
The 451 Take
There are three primary SAO features that we find compelling: 1) organizing custom scripts used to interface with products in the security infrastructure into referenced playbooks, 2) integrating security workflows with IT, network and application operations – security requires IT to actually correct security faults on hosts or in the network and SAO can facilitate those hand-offs and 3) involving the security community in contributing shared playbook details that describe new threats and remedial actions allowing SOCs to independently control damage when every minute is critical.
It is not at all clear yet that SAO will become a vibrant, sustaining market segment. We think it is more likely that SAO will follow the user behavior analytics segment and devolve into features of SIEM and NTA products. In fact, SIEM vendor IBM has already acquired Resilient to pair with its SIEM QRadar product line, SIEM vendor Splunk has recently acquired Phantom and NTA vendor FireEye has purchased the assets of Invotas. This acquisition trend will likely continue throughout 2018.
We can foresee an opportunity to define an enterprise operations center that is shared between security, IT, network and cloud applications teams. Each of these functions has demands to process workflows to resolve events and alerts. It is difficult for us to see why security requirements are so special that SOCs need to purchase and administer their very own SAO products. SAO vendors that can also take positions in meeting IT and network requirements will find greater market opportunities.
What are the most important features of a SAO product?
Playbooks capture the steps required to complete an action and can be combined into cases to thoroughly investigate and remediate an incident. For example, in tracking an incident report an analyst may execute a chain of playbooks for isolating traffic by a given IP address from specific firewall logs, searching threat feeds for
Connectors are software programs required to interface with products to automate
We believe community resources for sharing of playbooks is a critical feature of SAO product sets. To illustrate, say a new phishing campaign runs
Enterprise SOC teams should appreciate that there is no such thing as a free lunch when it comes to SAO. While SAO formalizes playbooks, workflows
Where are the SAO opportunities?
Security management represents roughly 21% of the security budget regardless of enterprise size, trailing network security and endpoint security (but just ahead of application security). In larger enterprises, not only are
Large enterprises meet SAO requirements for a SOC and budget allocations for SOC products, and the need to address alert fatigue also runs higher in large enterprises. The following table shows that SAO results map neatly into security performance metrics for processing alerts.
Which of the following metrics does your organization use/track for information security staff?
Response | Less than 10,000 | More than 10,000 |
Security incidents resolved | 25% | 75% |
Tickets resolved | 45% | 55% |
Audit issues resolved | 51% | 49% |
Project completion | 60% | 40% |
Application availability | 63% | 37% |
Lack of data breaches | 68% | 32% |
Time to recovery | 70% | 30% |
We don't use metrics | 90% | 10% |
Competition
The growing accumulation of security data required as modern IT architectures
Strategic SIEM and NTA vendors
- FireEye incorporates acquired Invotas capability into its Helix management platform. Helix connects the supply of FireEye network, endpoint
and email security alerts withdemand to reduce the risks to customer business from security attacks. - IBM Resilient extends the capabilities of QRadar, UBA and Watson analytics for customers. Resilient also empowers IBM incident response services for enterprises requiring expertise to help work through security emergencies.
- Microsoft acquired Hexadite in 2017 and now bundles the features into Windows Defender ATP. With Hexadite, Microsoft can now help customers fix detected security problems.
- Rapid7 markets Komand automation and orchestration technology to complement its Insight product line (including the InsightIDR SIEM/UBA), InsightVM vulnerability management and Metasploit penetration testing.
- Splunk acquired Phantom to integrate SAO customization capabilities into Splunk investigation and search features, extend playbooks and workflows into IT operations and contribute response team feedback into machine-learning analytic algorithms.
Privately held vendors
- Demisto implements DBot, a Slack interface to the SOC community to quickly get information on threats and playbooks. The Demisto Enterprise product was recently announced as the technology behind RSA NetWitness Orchestrator.
- LogicHub focuses on reducing the mean time to recovery from an incident. ThreatGPS helps enterprises manage the risks of using cloud applications such as CloudTrail, GitHub
and Salesforce. - Panaseer provides an analysis platform
of IT devices data, security operations status, and application, device or user views. The technology confirms when SAO actions are satisfactorily completed, with resultant feedback helping security teams to make better decisions. - Resolve Systems blends security, IT, network and help desk incident response processes into a single cohesive management system. The Resolve Platform, in addition to automation features, allows a business to integrate response operations for coordinated activity across the organization.
- Respond Software believes SOCs already have a lot of rich data coming from deployed IDS/IPS products if they could only process the alerts efficiently. Respond Analyst emulates level 1 SOC analysts to help SOCs get more value out of IDS/IPS.
Siemplify offers a graphical interface that allows SOC teams to build playbooks without having to develop scripts or be engineers. Its ThreatNexus product helps enterprises and MSSPs find the alerts that they are best positioned to remediate.- Swimlane claims prospects frequently process fewer than 1% of received security alerts per day. Swimlane is introducing an application hub to facilitate the sharing of SAO applets across its user base.
- ThreatQuotient is a threat intelligence platform rather than a classic SAO product, with the key difference that it starts a case with threat information rather than an alert. ThreatQuotient Investigations helps SOC experts to understand and remediate specific prioritized threats.
- Uplevel Security is not a true SAO vendor in that it markets graphical relationships of data as opposed to playbooks, workflows
and connectors. However, Uplevel is finding traction with SOC teams looking to easily identify patterns to eliminate false positives.
Managed security service providers
- ProtectWise captures network traffic to help security teams detect and remediate security events. The
ProtectWise Grid records traffic, enabling SOC teams to search communications to automate investigations and reduce the time required to process alerts. - Raytheon integrates the CyberSponse security platform into its SOC services to provide SAO capabilities aimed at faster detection of threats and shorter response times for its managed services customers.
- SecureWorks delivers managed incident response and orchestration services through its Counter Threat Platform. The
Secureworks Security Operations Services include planning for compromises and efficient remediation of incidents. - ServiceNow is an IT service provider getting strong push to compete in MSSP markets. ServiceNow Security Operations services spring from IT operations roots to help organizations identify and manage security risks.
- Verizon acquired Niddel to incorporate machine-learning-based automated threat hunting capabilities into its managed security services offerings, expanding on its vision to deliver automated and intelligence-driven services.
Outlook
The large infrastructure SIEM and NTA vendors have decided advantages in the market. Both segments are sources of alerts, are incented to make alert processing more valuable and have existing customer relationships. The privately held vendors have interesting technology as they compete for attention. We expect to see SIEM and NTA vendors conduct a vibrant acquisition hunting season for SAO technology in 2018.
Automating the gathering of evidence can only help SOC performance. Time-consuming tasks such as checking threat
The result of a security incident investigation frequently results in requests for IT to issue patches or networking to agree to firewall rules changes. SAO presents a chance to enhance coordination between security, IT and networking teams. Security alert and incident handling can be viewed as special use cases for established IT operations requirements, and the target market of large enterprises may opt to leverage existing systems rather than security-only technology.
Eric Ogren is a Senior Analyst with the Information Security team. Eric has extensive experience in software development, technology marketing, and as a security industry analyst.
Jeremy Korn is a Research Associate at 451 Research. He graduated from Brown University with a BA in Biology and East Asian Studies and received
Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation