Demisto Releases State of SOAR 2018 Report
September 2018 by Demisto
Demisto announced the results of their second annual State of SOAR Report 2018. Notably, the study found that SOAR tools are expected to improve conditions for security analysts amid difficulties caused by high alert volume, staffing difficulties, and piecemeal processes. The survey also found that respondents understood the value of SOAR and estimated that it could help across a range of issues including the reduction of false positives, prioritizing incidents after risk determination, coordinating actions across security tools, and automating repeatable response actions.
Security teams are struggling with rising alerts and scarce resources to battle those alerts. They understand the value that SOAR can bring across security operations and incident response; however, security teams are in dire need of assistance. The second annual State of SOAR report found that it took an average of eight months to train security analysts to be effective, yet a quarter of these professionals changed organizations within two years. Inundated with more than 174,000 alerts every week, security teams were able to review and respond to around 12,000 of them. Roughly 79 percent of respondents felt that they didn’t have enough people in their Security Operations Center (SOC), and as a result, had an average 4.35 days as their Mean Time to Respond (MTTR) for resolving incidents.
“Today’s business landscape is a balancing act between technological progression and security. Workplace changes and technical innovations have made it easier to do business, but securing these diverse advances is an enormous task that falls upon overworked security teams,” said Rishi Bhargava, Co-founder of Demisto. “We’ve seen plenty of research that highlights the unending growth in security alerts, a widening cyber security skills gap, and the ensuing fatigue that is heaped upon understaffed security teams. That’s why we conducted this study – to dig deeper into these issues, their manifestations, as well as possible solutions. Our results produced captivating insights into the state of SOAR in businesses of all sizes.”
Lack of Cohesion Across Tools
According to the report, the industry lacks standardization that would simplify and streamline processes for security teams:
• 75 percent of respondents found working with multiple security tools to be fairly/very challenging.
• 72 percent of respondents found process and result improvement very/f irly challenging.
• Nearly 42 percent of respondents cited that they didn’t have a system in place to measure IR metrics.
• More than 50 percent of respondents stated that they either did not have process playbooks in place or that the playbooks were rarely updated after initial implementation.
“Security deployment is fractured due to innumerous specialized tools, making it difficult for security teams to manage alerts across disparate systems and locations, particularly considering the talent shortage present in security today,” said Bhargava. “There is a great opportunity for SOAR tools to help unify these products and processes, using automated response to reduce alert fatigue and direct analysts to the most harmful alerts.”
The Time is Ripe for SOAR Tools
This year’s survey showed an increase in “readiness to automate,” with 70 percent of respondents stating that SOAR tools would be beneficial for automating response. Besides the growing market validation of automation, this increase in willingness is likely connected to the fact that all four major security challenges revealed by research participants were related to human capital shortages.
Around 62% of respondents cited threat hunting as an expected benefit of SOAR (specifically automation). SOAR tools have a unique capability combination: they’re able to ingest threat data from multiple sources, and they’re able to execute automated playbooks that rapidly check for these threats across user environments. When executed correctly, threat hunting and SOAR work hand in glove.
SOAR tools also benefit case management and workflows. Over 50% of respondents stated that they rarely updated processes, highlighting a lack of both analyst time and process intelligence to make updates happen. Most respondents (49.8 percent) use ticketing platforms to document incident response actions. Since ticketing platforms are designed to be ‘static’ and capture moment-in-time comments and flows, it prevents the dynamic, fast workflow changes that are necessary in the face of sophisticated attacks. SOAR platforms can and should be capable of both integrating with third-party ticketing tools, as well as providing their own, more modular and flexible case management that’s better suited to security use cases.
Methodology: Demisto sponsored this independent, third-party study conducted with security professionals working for companies ranging from 500-20,000 employees. Approximately 57 percent of respondents were management level employees, while 43 percent were individual contributors. Nearly 85 percent of companies were in North America, with the rest residing from EMEA, LATAM, and APAC.