Editor’s note: This post is part of an ongoing series on IT predictions from Google Cloud experts. Check out the full list of our predictions on how IT will change in the coming years.
Prediction: By 2025, 90% of security operations workflows will be automated and managed as code
There is not enough funding, resourcing, skills, or broadly applicable solutions to help manage security risk effectively across modern technology environments. Organizations are struggling to identify which alerts and security areas to prioritize while moving quickly through their digital transformation. This challenge is compounded by an exponential increase in data volume, alert fatigue, financial costs, and overall complexity. To combat this, organizations are looking to drive better developer hygiene, leverage more managed services and cloud-native capabilities, use products and solutions that provide greater security-by-default, and shift to security engineering over operations, to manage risk at scale.
Security operations — traditional detection and response workflows — are notoriously overburdened with toil. There are quite simply too many events and not enough people to scale them. Legacy tools coupled with a high bar for security engineering have made it very difficult for organizations to build effective, scalable solutions to manage threats in modern technology environments. As a result, there’s a cybersecurity talent shortage of over 700,000 jobs, which will likely increase and never be filled.1
This new 90/10 split predicted between automated and manual detection and response events can allow security operations teams to focus on their critical security work: threat research and operationalizing threat intelligence, proactive hunting, solving for visibility challenges, maturing alert triage and response automation capabilities, and more importantly, shifting security operations knowledge “left.” This last point can drive a deeper relationship with developers and improve the preventive security of the overall infrastructure.
To achieve this vision, we’ve developed the Autonomic Security Operations (ASO) framework, a holistic and novel approach to modernizing people, processes, and technologies – enabling organizations to adopt Google’s cloud-scale engineering approach to threat management. This framework underpins our substantial technology investments in Chronicle Security Operations, VirusTotal, Mandiant, and beyond.
At the core of ASO is Continuous Detection, Continuous Response (CD/CR), a model we’ve developed for traditional security operations teams to help shift away from the assembly-line approach to managing threats and adopt an agile operating model centered around establishing continuous feedback loops across the core areas of detection and response, in order to objectively and iteratively improve an organization’s security capabilities. It’s heavily grounded in our own approach to security as well as other methodologies, such as DevOps, SRE, Detection Engineering, and Agile.
Some examples of the CD/CR model include:
Taking an API-first approach to security operations. We’ve heavily invested in developing APIs for most aspects of Chronicle Security Operations, allowing organizations to codify their approach to threat management from instantiating visibility, developing and deploying security analytics, creating response automation playbooks, and deploying dashboards, to tracking KPIs.
Deploying security analytics as-code. While we’re developing curated built-in detections in Chronicle Security Operations and native threat-detection capabilities through Security Command Center, we’re also fostering community collaboration on developing security analytics in our Community Security Analytics repository.These analytics can be deployed as-code across Chronicle and other analytics tools in Google Cloud.
In order for security operations teams to become an autonomic function of their organizations and scale across the threats their businesses face, they will need to adopt modern, developer-friendly workflows like CD/CR, which can free them to prioritize the most important threats to their organizations.
If you’d like to learn more about Google Cloud’s approach to automating security operations, start with the white paper Autonomic Security Operations: 10X transformation of Security Operations Center and watch our latest ASO webinar.
Cloud BlogRead More