Today’s digital enterprises face escalating cybersecurity risks. The software supply chain is constantly under threat, as malicious actors target vulnerabilities within popular open-source packages and common dependencies. Cloud-native threats — misconfigurations, insecure defaults, and leaked keys, among others — persist. In addition, most organizations are ill-equipped for the newfound ubiquity of web APIs and their unique access control repercussions.
If you think that’s a lot to respond to manually, you’re not alone! To increase cybersecurity response across the board, enterprises continue to turn to automation for areas like threat detection and incident alerting. Yet, although organizations are automating various elements of their security strategy, they are still inconsistent where levels of security maturity, which vary widely from business to business, are concerned. Plus, technological incompatibilities continue to pose a common barrier to sweeping security automation initiatives.
ThreatQuotient’s “2022 State of Cybersecurity Automation Adoption” report analyzes the current condition of cybersecurity automation throughout today’s distributed enterprises. The study highlighted the key drivers behind cybersecurity automation and found that the majority of organizations experience pain problems implementing these initiatives.
Below, I’ll review the study to pick out some key takeaways that security professionals should consider as they seek to treat cybersecurity as a business enabler — not a business inhibitor.
State of Cybersecurity Automation
First off, it’s clear that cybersecurity automation is of growing significance to information technology (IT) and security professionals. The study found that 68% say cybersecurity automation is important. This attitude will likely direct purchasing decisions in the coming year, as 98% have increased their automation budgets.
Threat intelligence management and incident response are some of the most popular cybersecurity automation use cases. Yet, the report found that alert triage is lagging in adoption — only 18% of respondents are automating alert triage. ThreatQuotient defines alert triage as:
“The process of efficiently and accurately going through alerts and investigating them to determine the severity of the threat and whether or not the alert should be escalated to incident response.”
Application logs and monitoring tools produce a ton of data, so much so that engineers are often left drowning in a sea of observability data. It can be challenging to sift through alerts to separate false positives from actual incidents. As such, increased automation for alert triage is an important area to decrease manual review time and prioritize security incidents. Streamlining the response process is one way to meet performance objectives and reduce mean time to recovery (MTTR).
Although cybersecurity automation sounds like an easy win, getting there is a challenging prospect. 97% report difficulties in rolling out automation initiatives. According to respondents, the top roadblock is technology issues — 21% say technology issues prevent automation. This is likely due to the complexity of managing different technological stacks and dealing with a slew of legacy toolsets across an enterprise. Other common barriers include skill shortages and a lack of management buy-in.
In gauging their automation maturity, the report found that the majority (62%) rate themselves at level two or three on a scale of one to five. These organizations might not yet have a security operations center (SOC) or security information and event management tools (SIEM) in place, suggests the report.
Another persisting quandary is determining the return on investment from security automation projects. The report found that businesses don’t have a quantitative measurement of success here — they tend to rely on qualitative measurements, like how resources are managed or staff effectiveness. A recent SANS cyber threat intelligence (CTI) survey also found that groups struggle to measure CTI program effectiveness. Whenever possible, quantitative measurements are more objective and preferred to weigh the ROI of a new solution.
In terms of drivers for cybersecurity automation, increasing efficiency and responding to the skills shortage rank as high reasons across the board. But these drivers change depending on the sector you’re in. For example, within government, most security automation initiatives are driven by regulation and compliance. And financial services companies are the most likely to consider cybersecurity automation important (75%). This makes sense as financial services face the most threats as they hold highly valuable payment data and personally identifiable information.
Interestingly, the perceived importance of cybersecurity automation has dropped significantly in the retail sector, from 82% in 2021 to only 50% this year. These changes could reflect changing priorities amid economic uncertainties. “Now, the environment has changed; retailers are facing the prospect of recession and belt-tightening, so there’s less room for new automation investment,” posited the report.
ThreatQuotient suggested some high-level recommendations for cybersecurity professionals to consider, summarized as follows:
- Begin with use cases proven to show value.
- Align context with relevant and high-priority events.
- Simplify complexity with low-code/no-code automation platforms.
- Adopt security platforms that cover a broad spectrum of automation.
- Define clear metrics and directives to get management buy-in.
- Standardize on platforms with open architectures.
The “2022 State of Cybersecurity Automation Adoption” queried 750 senior cybersecurity professionals in the U.K., U.S., and Australia from companies employing more than 2,000 people. Above, we covered some of the key takeaways from the study. For deeper information on sector-specific insights and regional and role-based snapshots, you can pick up the full copy here.
Want more cybersecurity insights? Visit the Cybersecurity channel: