As automation tools rise, the alignment of teams is bound to occur. Despite organizational politics, silos and finger pointing, automation tools can align the various forces in an IR scenario. The general counsel's office, teaming up with the chief risk officer, CISO and the outsourced SOC can refer to the incident taxonomy, understand various roles and responsibilities, communicate effectively (on-site and off-site) with specific tools and build realtime playbooks.
What's more, all these records can be shared for compliance and insurance purposes and can be stored effectively for post-mortem analysis, enhancing corporate knowledge base. In an AlgoSec survey of 350 C-suite professionals, 75 percent of respondents feel that automation will reduce audit preparation time and improve compliance. And 50 percent believe that automation will help deal with the IT skills shortage and reliance on experienced security engineers.
Augmenting your SOC: In a recent HP Whitepaper titled "State of Security Operations - 2016 report of capabilities and maturity of cyber defense organizations," the researchers write that "The most capable and mature SOCs are bringing incident-handling responsibilities closer to the frontline of operations teams."
A SOC is an extension of your internal team and can function with speed and agility as long as you are using the same tools for collaboration and automation. The HP whitepaper further states that orchestration of duties before, during, and after a breach can reduce the cost of the breach. "Hybrid organizations must pay special attention to escalation and shift turnover processes between insourced and outsourced functions. Strictly defined and followed processes ensure that all relevant information is passed between groups and allows for the best capabilities at identifying and isolating breaches." Indeed, as virtual SOCs come into play, the necessity of centralized repositories for communication and coordination gain importance.
Not everything can be automated: We have yet to see meaningful leaps in automation in vulnerability scanning and static code analysis. "Most tools suck - it's mind boggling," says Kyle Randolp, principal security engineer at Optimizely. "Key and credential management areas have the potential. But auto scanning tools are a negative ROI."
The Register recently reported that vulnerability scanners generate anywhere from 50% to 89% false positive. Chris Steipp, senior security engineer at Wikimedia Foundation, adds that while automation is critical, static code analyzers have identified "only two legit issues in five months, having scanned over 25% of our code base."
Despite such limitations, the promise of security automation can scale any CISOs defense posture. Yet we know that not everything can be automated. Nor will we ever be fully secure.
Sign up for Computerworld eNewsletters.