The cybersecurity profession is in a state of crisis: There simply aren't enough workers to go around. CyberSeek published a cybersecurity supply and demand heat map that painted a picture that's rosy for employees but gloomy for employers: There were over 300,000 cybersecurity job openings from September 2017 through August 2018 and around 700,000 people employed in the field in 2017. That means that over 30% of cybersecurity positions were unfilled.
There's no end in sight to filling the cybersecurity skills gap, and most analysts predict that the shortage is going to get worse, rather than improve. Security leaders are turning to human resources teams to help them recruit and retain talented professionals, but that's simply not going to be sufficient to solve the problem.
Security orchestration, automation and response (SOAR) programs offer an alternative means for addressing the cybersecurity skills gap: work smarter, not harder. SOAR efforts promise to automate the routine work of cybersecurity, which carries several important benefits. First, it reduces an organization's cybersecurity staffing burden by reducing the amount of work processes that include human intervention. Second, SOAR efforts tend to target the more mundane tasks assigned to security professionals, allowing them to focus on more fulfilling work that uses their talents and skills. Third, SOAR allows security teams to tackle work that was simply left unaddressed in the past by creating scalable automated processes. Finally, SOAR improves response times, allowing security controls to quickly react to events before they escalate into full-blown crises.
Let's take a look at three areas that SOAR promises to cure of the ills the cybersecurity skills gap creates.
SOAR opportunity #1: Log processing
Any analyst who ever sorted through the logs generated by a security control knows the fundamental truth of this work: It's tedious, error-prone and difficult. Combing through the millions of log events generated each day is a thankless task that, quite frankly, is often left unperformed, especially in this era, with a gaping cybersecurity skills gap.
Security information and event management (SIEM) tools offer some relief from this burden by consolidating logs from a wide variety of sources and allowing the automated correlation and analysis of information. SOAR efforts take SIEM to the next level by allowing those automated analyses to trigger responses. For example, a SOAR task might identify a brute-force SSH attack against a web server and immediately insert a rule into the network firewall blocking traffic from that source. In contrast, by the time a human analyst noticed the attack, it would be over, preventing an effective response.
SOAR opportunity #2: Threat intelligence
Many organizations now purchase threat intelligence subscription services that provide timely security information. These services often include IP address reputation feeds that identify the addresses of known malicious actors in near real time. These feeds offer another opportunity for security automation. By incorporating threat intelligence feeds directly into firewalls, routers and intrusion prevention systems, security teams can automatically block known malicious addresses before they even attempt an attack.
SOAR opportunity #3: Account lifecycle management
Account management processes are also a prime target for automation activities. Most organizations already use some form of automated account management, typically automation of the provisioning and deprovisioning processes as employees enter and leave the organization. Other opportunities for SOAR efforts in this area include identifying dormant accounts and pushing them into a deactivation workflow, flagging permission combinations that violate separation of duties principles and automating periodic access reviews. SOAR can't cure the cybersecurity skills gap, which must still be addressed. But it is one means for dealing with the issue.