August 12, 2019
Managing an enterprise’s security posture and mitigating risk continues to be a top of mind concern for corporate executives. Enterprises are not only spending more on technologies to prevent attacks, but also establishing procedures for quickly and effectively responding to a breach. However, as organizations develop holistic security strategies that span each phase of the lifecycle of an attack -- Identify, Protect, Detect and Respond -- they are facing significant challenges in terms of finding the needed expertise and automating manual, reactive procedures.
For enterprises, embracing new digital business models holds the promise of more efficient operations and greater customer intimacy. However, adoption of new digital technologies and architectures can increase an organization’s exposure to new vulnerabilities. Whether it’s moving to a public/private cloud model or implementing IoT initiative, IDC research shows that security is the biggest concern that companies have when adopting new technologies. For this reason, concerns around security can slow the pace of innovation.
There is no doubt that the money enterprises spend on improving their security posture is compromised by the increasing sophistication and ever-advancing capabilities of adversaries. Organizations have a myriad of adversaries they need to protect against, and these range from less sophisticated attackers to highly motivated and well-funded attackers that utilize advanced technologies and tools to exploit vulnerabilities. This latter group often possesses technologies and tools that are far more advanced than those used by corporations to thwart their attacks.
Moreover, in an increasingly connected business environment where partners and customers have anytime anywhere access to an organizations infrastructure, attackers have a much wider attack surface to utilize and exploit vulnerabilities and achieve their goals.
Organizations have found it difficult to build an effective internal organization to manage their security posture, largely due to the lack the in-house security expertise. Companies looking to build the requisite capabilities in-house can also find it challenging due to the cost of hiring in-house staff with expertise across a range of potential security threats. Even though the number of security professionals continues to grow, at an industry level, there is still a talent shortage for qualified security professionals. This puts compensation for security professionals with deep experience at a premium price level. For organizations, the challenge to find security experts can be both a budgetary and human resource issue.
AIRO: A New Approach to Threat Analysis, Detection and Response
In response to the security challenge organizations are facing, there is currently a shift in the market toward a new approach to security detection and response. Organizations have typically been reactive to security threats, often responding to a threat well after it has occurred. However, using a combination of automation, analytics, intelligence, response and orchestration (AIRO), companies can take a more predictive/proactive posture against security threats by augmenting human analyst efforts for faster detection and response.
Historically operations and incident response teams worked in a traditional IT service management ITSM structure of level 1, 2, 3 (L1, L2, L3). L1 analysts were junior and performed the task of being the first "eyes on screen" scrolling through vast amounts of security log and event data.
With AIRO technologies, L1 tasks are performed increasingly by the tool which with the help of machine learning which ingests, correlates, synthesizes and reduces the funnel time to determine actual events that need to be addressed.
The result is a compression of L1 and L2 activities, which accelerates the opportunity for discovery and remediation of actual threats, and the redeployment of security operations staff to concentration on high-order tasks.
Conclusion
IDC believes that AIRO capabilities are provided in various consumption models. Organizations using managed security services for their security management requirements, will find AIRO capabilities imbedded into the ongoing monitoring tasks of Managed Security Service providers (MSSPs). Also, dedicated services offered by service providers can be used to augment an organizations internal threat detection capability.
Given the various security challenges businesses face today and the demands for the business to respond more proactively and rapidly to a security breach, utilizing AIRO for threat detection analysis and response augments the security team's ability to identify threats in their environment and optimize its efforts by bringing more rigorous threat hunting capabilities to the L1 process.