3 Ways to Get the Most Out of Your Security Automation Budget
Want to build a world-class information security program for your organization? If you’ve got an enterprise-sized IT and security budget, you might not need to make too many trade-offs. Consider, say, Amazon.com or AT&T—these are among the world’s largest and most profitable companies, and the resources they could potentially devote to solving commonplace cybersecurity challenges are immense. For the rest of us, however, weighing priorities is considerably more difficult.
Now more than ever, CISOs and other stakeholders in risk management are being challenged to make the most of limited budgets, maximizing the value they gain for every dollar they spend on security automation. Every organization’s goals are—and necessarily should be—different, but some general truths hold across the board. If you can make it easier for your team to detect attacks more effectively and more quickly, you’ll see overall improvements in performance, saving time as well as money.
With that in mind, we’ve come up with three questions to ask yourself if you’re considering an investment in a security automation tool or solution.
#1: Will implementing this solution really save time or simplify security analysts’ workflows?
We’ve all heard about the promise of security orchestration, automation and response (SOAR) solutions: by automating tasks that analysts would otherwise have to perform manually, they’re said to improve efficiency and boost productivity. But using SOAR tools well involves a great deal of hands-on programming, since each playbook that’s written addresses only a single use case or perhaps a small, discrete step that’s relevant in multiple scenarios. If you’re looking to implement end-to-end automation for full-scale workflows, your team will need to build a plethora of different playbooks. Or you’ll have to be satisfied with automation that’s applicable to only a few very specific scenarios. With SOAR, you don’t get economies of scale.
Let’s take the process of research as an example. When a security analyst is gathering additional information to determine the significance of an incident that’s been escalated, they will have to collect at least ten different pieces of data, which means they’ll need to perform ten lookups. And these ten lookups will be the same every time. So this particular portion of the analyst’s research workflow is amenable to automation with a SOAR tool, and there’s likely to be a benefit—in the form of time savings—from doing so. But it’s only a small step within a larger research process. Other stages, the ones that require more innovation and creativity, cannot be automated in the same way.
Security information and event management (SIEM) solutions are also said to be helpful because they automate the otherwise labor-intensive process of sorting through the enormous volumes of log data generated by network sensors to find anomalies and patterns indicative of an attack. But SIEM implementations require ongoing tuning. Analysts using them to find evidence of compromise must create appropriate rule sets that will detect in-process attacks. These rules must be written by humans, maintained by humans, and tested by humans, and the process must be repeated over and over again to address changes in the threat landscape.
SIEM tools can be helpful in meeting compliance mandates that require event log retention. And they can be beneficial in certain use cases, such as monitoring the behavior of a limited subset of VIP end users. But all too often, security teams may spend more time tuning their SIEM—that is, making the tool work—than using it to accurately identify events that indicate true malicious activity—that is, benefitting from the tool’s work.
A dangerous trap that’s all too easy to fall into in the world of security automation is adding a new tool that’s advertised as labor-reducing only to discover that your team is now spending just as much time tuning, configuring or programming the tool as they were spending on the original manual process in the first place.
#2: Will this tool really enable us to detect malicious activities more quickly?
According to the Ponemon Institute, the average data breach costs its victim a total of $3.92 million. These costs extend over a period of more than three years, and significantly impact profitability, brand reputation, and the overall viability of the business. Although the average time it takes to identify and contain a breach grew by 4.9 percent since the previous year, losses are consistently lower the faster a breach can be identified and contained. Breaches with a lifecycle shorter than 200 days are on average $1.22 million less costly than breaches with a lifecycle of more than 200 days.
Security leaders are well aware that longer dwell times result in higher costs and greater damage from breaches. Yet most organizations still require extended periods of time to discover the presence of bad actors in their environments. On average, it required 206 days to identify a breach in 2019, and an additional 79 days to contain it.
All too often, security teams’ jobs consist of an endless game of catch-up. Often, they’re only considering a small portion of the network telemetry data that’s available to them. Or they’re swamped by an endless stream of false-positive alerts that make it nearly impossible to find evidence of true malicious activity amidst all the noise.
Many of the automated analyst tools designed for use in cybersecurity are intended to help human analysts keep up with the near-infinite volume of data that they’d like to be able to monitor. True value is found in reducing breach costs by speeding time to detection.
#3: Will adding this product to our security solution stack really make our team more effective?
Organizations see the greatest return on security investments that serve the purpose of enabling them to achieve medium- or long-term goals. To understand where your budget could best be applied, consider where your security analysts are spending the majority of their time.
Generally speaking, there are three areas in any security program that can be automated. These are:
• identity and access management (IAM)
• global risk and compliance (GRC)
• security operations
Different organizations will find that analysts’ time and labor are being used differently. For example, one company might find that security operations center (SOC) employees are spending large portions of their working hours answering emails from end-users who are reporting phishing attacks or suspected phishing attacks. This process, known as the “phishing inbox” can be streamlined and speeded by implementing a SOAR playbook. Another company will find that security analysts devote a great deal of time documenting compliance with regulatory standards in order to meet customers’ requirements. For this team, a GRC tool that gathers all the information together into a centralized repository and produces automated reports can be a wise investment.
As we documented in our Voice of the Analyst survey, however, the majority of SOC personnel spend more time monitoring events than on any other activity. Yet event monitoring is one of the least effective ways for them to use their time. Human analysts have neither the capability to review all events comprehensively, nor the cognitive ability to discern which ones represent the “needle” of malicious activity within the “haystack” of alert data. If we are really looking to reduce manual labor in the SOC so as to lower costs, it makes sense for most organizations to consider investing here.