ThreatQuotient’s new survey on the State of Cybersecurity Automation Adoption is now available for download. Conducted by independent research organization, Opinion Matters, the survey includes responses from 250 senior cybersecurity professionals representing the following industries: central government, defense, critical national infrastructure (energy and utilities), retail and financial services. 

Since there are many different definitions of security automation, for purposes of the survey, we defined it as follows: Security automation is the machine-based execution of security actions with the power to programmatically detect, investigate and remediate cyberthreats – with or without intervention. This is done by identifying incoming threats, triaging and prioritizing alerts as they emerge, and responding to them in a timely way. By using security automation, security analysts are freed up from mundane, labor-intensive activities and can focus more of their efforts on high value work. 

Given the potential value of automation to an organization, it may not surprise you to learn that 95% of respondents have automated at least some of their processes and 98% intend to automate more in the next 12 months. But it isn’t all good news. Nearly all of them (92%) also report they encountered issues when implementing security automation. One of the biggest problems is a lack of trust in outcomes (41%). Security leaders doubt the accuracy of the detection of threats and fear the consequences of automating the containment or mitigation responses and the prospect of detrimental impact and damage from doing this incorrectly. 

Technology was cited as a top blocker that is preventing organizations from applying IT security automation, which leads us to believe that respondents don’t trust the automation capabilities built into technologies such as SIEMs, Endpoint Detection & Response and Security Automation & Orchestration solutions. They are comfortable automating basic tasks such as sending out notifications or running a threat intelligence query, but security leaders lack confidence when it comes to automating more advanced tasks. It is clear from the responses that process-driven automation creates issues around lack of trust and survey participants often feel this can lead to bad decisions.

Undeterred, respondents also told us some of the additional use cases they are looking to automate in the future include threat intelligence processing, incident response and incident management, and vulnerability management. To enable organizations to maximize their value from security automation, we at ThreatQuotient have long believed that automation must be data driven. Only when security operations teams can trust the data and have confidence in their decisions, can they take automation to new levels and automate more use cases. That’s why we designed the ThreatQ Platform to enable data-driven security operations.

For example, for threat intelligence processing, the ThreatQ Platform begins by ingesting structured and unstructured data from all your internal and external sources. The platform aggregates, deduplicates, normalizes and enriches the data for you. Then, using parameters you set, the ThreatQ platform prioritizes intelligence based on risk to your organization so analysts can focus on threats that matter most instead of spending time chasing ghosts. In addition to scoring and prioritization, analysts control expiration. What’s more, the platform serves as a single source of truth. As more data and learnings are added to the repository, the system automatically scores and rescores intelligence to maintain ongoing confidence in the data.

A data-driven approach is also essential for instilling confidence in automating incident response and management. Process-focused playbooks are inherently inefficient and complex and, unless updated with relevant data, can reduce confidence in actions taken because playbooks can automate and orchestrate noisy data which creates more noise. ThreatQuotient’s data-driven approach puts the “smarts in the platform” and not individual playbooks. This provides for simpler configuration and maintenance, and more efficient and effective automation outcomes. Users can curate and prioritize data upfront, automate what’s relevant and simplify actions taken. 

The ThreatQ Platform’s data-driven capabilities also accelerate and improve outcomes of vulnerability management. Historically, organizations prioritize patching and other mitigation efforts based on limited and inward-facing data such as server vs workstation, employee role, asset criticality, vulnerability score and patch availability. Patching remains a time-consuming process and doesn’t consider how the vulnerability is being exploited in the wild and the risks specific to the organization. The ThreatQ Platform ingests data from external sources so you can understand the threats and which vulnerabilities threat actors are leveraging. Correlating that data with internal data you can determine relevance to your environment. For example, a vulnerability that has related to a specific adversary campaign and indicators of compromise (IOCs) that have been seen in your SIEM and/or ticketing system should be addressed immediately. A vulnerability that has related threats and IOCs that have not been known to target the industry you are in, can be watched and is lower priority. And a vulnerability with no known adversaries using it or associated IOCs, may indicate it is not being exploited in the real world yet and can be deprioritized.

The State of IT Security Automation Adoption report overwhelmingly shows that CISOs are using automation and want to expand their use cases, but lack of trust in outcomes stands in the way. However, when CISOs can trust the data, they can have confidence in decision making which leads to confidence in automating more advanced tasks.

Download your copy of the State of IT Security Automation Adoption now to read the full results. To see how ThreatQuotient can help you gain confidence to apply automation to more use cases, schedule a demo.