Security automation and orchestration can be a spectacular feat in security analytics. However, it's hardly a game changer for the mid-market enterprise. SOAR (Security Orchestration, Automation, and Response) and other security automation platforms have tremendous potential—but they’re not “silver bullet” solutions. Getting real value and effective cybersecurity from these tools also requires a human touch.
Let's do some manual analysis of the situation.
A typical mid-size customer receives about 10 cybersecurity incidents per month. The incidents can vary, but for the sake of argument let's say 8 of the 10 incidents are scanning activity which requires a simple block at the web application firewall. With an automation solution one would imagine an analyst confirming the incident and clicking a button to block, or—better yet—the block just happens. This is great! Your analyst saved about an hour in analysis and response time.
The other 2 incidents are infected laptops. These investigations require a bit heavier lifting. Luckily, your automation solution is able to collect some data (the operative word being “some”). However, after about 30 minutes of review, your analyst realizes he/she needs a bit more context and jumps back into the SIEM (Security Information and Events Management) to extract additional data points. On the plus side, he/she also uses this as an opportunity to update the automation logic to include this search in future incidents of this type. So, we'll say the initial data gathering saved about 15 minutes each and we lost around 30 minutes reconfiguring the automation solution. Total time saved that month: approximately 2 hours.
Now for the real question: How much does this solution cost you vs. the time that was saved? My guess is you saved around $120 ($60/hour for your analyst times the two hours invested) in man hours and it cost you no less than $2,000 just for the automation solution that month. Deflates the value a bit, doesn't it?
The Value of Human Experts for Cybersecurity
We may also see a bit more return on this investment in the future as the solution is further tuned. However, your time saving may never outweigh your investment with these incident counts. Not to mention, what happens 6 months from now when your data, tools, environment, business, and team members change? Who set up those rules? Do they still work? Is anyone relying on them anymore? And, who knows how to configure it?
Turnover is a real problem in the security industry and full automation and orchestration does not solve it. A fully employed industry has a 4 percent unemployment rate. The cybersecurity industry currently has an unemployment rate down to decimal places. These automation and orchestration solutions do not put a dent into this real problem mid-market enterprise companies are facing today. As much as they're marketed to solve these pointed problems, they're not going move the security needle.
These solutions are great when you need to scale and standardize your approach to security analytics. They’re great when you're able to develop a training program that's centered around your solution and associated processes. The promise of security automation and orchestration is fascinating for those that must work at scale. Being able to work 100's, or even 1000's, of incidents a day with this underlying standardization across your customer base is an investment worth its weight. However, most companies do not need this, and do not have the expertise necessary to respond to the incidents anyway.
Platform + Intelligence + Experts = Effective Cybersecurity
My advice is to focus on what matters: your business. If your core competency is not managed security, why attempt to piecemeal point solutions, like a security automation and orchestration solution, that require the continuous overhead of configuration, tuning, and monitoring? You should be focusing your team’s time on identifying and creating policies and processes that govern the way your company conducts business securely. Leverage industry experts to provide feedback and perspective based on their core competency and experience.
Let's start doing this the right way and use the right solution for the right problem. Don’t assume an automation tool alone will protect you, and don’t try to paddle upstream by attempting to manage it yourself. Focus on your core competency and start seeking ways to do it securely.