Challenges facing security teams are common knowledge: An increase in alert volume, a stark security skills gap, piecemeal processes, and siloed tools.
In a look at a broad array of industries, a new report looks at stages of the incident response lifecycle and how current product capabilities help overcome these challenges, and what capabilities are missing within security products today.
The study, entitled “The State of SOAR Report, 2019” looks at Security Orchestration, Automation, and Response (SOAR) in the security incident response lifecycle. Security provider, Demisto, commissioned a study with 552 respondents from various industries.
In this report, Demisto broadened its focus from SOAR to the security incident response lifecycle. This lifecycle is a continuous and cyclical process of alert ingestion, enrichment, management, investigation, response, and measurement. The lifecycle is meant to act as a vendor-neutral outlook at how security teams handle incidents today. This report will provide an overview of the security incident response lifecycle and our findings from each stage of the lifecycle.
As more organizations leverage SOAR for incident response, Demisto found their willingness to use automatable playbooks increase as well. This year, 52 percent of respondents cited using either automated playbooks or a combination of automated and manual playbooks for implementing incident response processes. This is a stark departure from Demisto’s 2018 State of SOAR report where over 50 percent of respondents said they either did not have set processes in place or the processes were rarely updated after initial implementation.
In addition, organizations continue to rely heavily on Security Information and Event Management (SIEM) tools for multiple stages of the incident lifecycle. Seventy-five percent of respondents said they used SIEMs for incident ingestion and enrichment, 66 percent leveraged SIEMs for investigation, and 66 percent preferred SIEMs for tracking metrics and performance.
Also, while security products continue building up diverse feature-sets with the aim of becoming a “one stop shop,” organizations still prefer to rely on a suite of security products with niche strengths.
Forty-eight percent of respondents cited using six or more security tools for incident response. More than 68 percent of respondents preferred using “best of breed” products across vendors rather than purchasing multiple solutions from the same vendor. With these points in mind, product interconnectivity across vendors is crucial for good user experience.
Within the “manage” phase of the incident lifecycle, more than 60 percent of respondents wished for tools that automatically captured information for post-incident review. A mobile application for incident management was also desirable, with 47 percent of respondents including it in their wish list and only 25 percent of respondents claiming to have mobile support from their current products. Other capabilities in demand included the ability to add notes and tags to individual artifacts (51.27 percent) and the ability to reconstruct incident timelines (51.27 percent).
For incident investigation, 60 percent of respondents cited an “evidence board” and “attack reconstruction” as abilities they needed but currently lacked. Since investigation is usually a time-consuming and tool-spanning process, respondents also desired a common platform for cross-team investigation (53.54 percent) and automated remote execution of actions across security tools (52.36 percent).
In addition, 60.5 percent of respondents confessed to manually updating point product policies, highlighting a time sink that security products have still not successfully plugged. However, among respondents that used SOAR, 60.5 percent said they did not need to manually update point product policies. Looking at wish lists, almost 54 percent of respondents cited the need for industry-specific response templates. Roughly 52 percent of respondents also wished for live runs of playbooks for each incident.
SOAR products have now grown to an extent where they are a critical part of the SOC puzzle.
Around 33 percent of respondents used SOAR for incident ingestion and enrichment, 28 percent used SOAR for case management and incident investigation respectively, and close to 33 percent used SOAR for response and performance measurement respectively. With SOAR products championing so many features that respondents included in their “wish lists,” the data suggests that SOAR solutions will continue to ensconce themselves in a security team’s life.
Click here to register for the full report.