<p><b>FINDING #2:</b> Automation Isn’t a Luxury—It’s a Necessity</p>
More is becoming too much: nearly 45% of DFIR professionals report that the soaring number of investigations and volume of data they must consider together represent either an extreme (13%) or large (32%) problem. LEARN MORE >
DFIR professionals are feeling burnt out, and reinforcements aren’t on the way. More than half (54%) of respondents agreed with the statement, “I am feeling burnt out in my job,” and an even larger proportion (64%) agreed that alert/investigation fatigue is a contributor. At the same time, recruiting, hiring, and onboarding DFIR professionals is a major challenge, so expanding the team to share the load isn’t a simple proposition.
LEARN MORE >
Automation already exists within most IT environments, including within SOCs, but digital forensics is a specialized field, with specialized functions. Free up human expertise and accelerate investigations by automating DFIR tasks that are today executed manually. LEARN MORE >
Automation has enormous potential to help increase the scale and efficiency of forensic investigations, both of which are needed to keep pace with rising demands.
It’s worth emphasizing that the greatest promise of automation comes from helping DFIR personnel, not replacing them. By automating time-consuming and repetitive tasks that extend investigation timelines and contribute to burnout, automation will allow DFIR practitioners to concentrate on higher-level thinking that only they can do well—like getting to root cause, refining how incidents are detected, and identifying gaps in evidence. Additionally, this time gained back can help positively impact the signal-to-noise ratio as DFIR personnel can help to differentiate between low-severity and malicious activity.
of DFIR professionals indicate thatinvestments in automation would be highly or extremely valuablefor a range of DFIR functions.
Automation is already in place in many SOCs, but those solutions (e.g., security orchestration, automation and response, or SOAR) orchestrate and automate cybersecurity runbooks by taking telemetry, enforcing actions (e.g., on endpoints, on network controllers, etc.) and using other tools. While important for threat containment and remediation, these runbook-related activities are distinct from those performed by digital forensics automation solutions, which execute a data transformation pipeline (e.g., collecting and processing evidence) by orchestrating, automating, performing, and monitoring forensic workflows.
Indeed, despite the widespread adoption of SOAR platforms and similar cybersecurity solutions, the survey reveals that there remains much opportunity for digital forensic-specific automation investments to enable valuable improvements in DFIR outcomes.
It’s essential for organizations to find solutions that work with their current tools and custom scripts versus scrapping their toolbox to start over. Automation platforms should be adaptable to maximize compatibility with orchestrating the alerting and response workflows organizationsalready have in place.”
Today’s corporate DFIR professionals are under enormous pressure to conduct fast and thorough investigations. Unfortunately, three developments are contributing to a landscape that can be characterized by one word: more. As in more investigation types, more investigations overall, and more data involved with each investigation.
And practitioners are recognizing the risk that comes with these demands (Figure 5). 45% of respondents regard the growing volume of investigations and data as either an extreme (13%) or large (32%) problem. Every indication is that data volumes will continue to grow and that DFIR experts will be pulled into more investigations, so organizations need to invest in tooling—like automation—that can help experts keep pace.
Crucially, when investing in DFIR automation, it’s important that the solutions work with the existing toolset, otherwise they could further anexisting problem (37% of respondents indicated that a lack of tool integration is at least a large problem). Automation should address problems, not create new ones!
Corporate DFIR practitioners are already feeling the impact of the soaring volume of investigations and data, plus other demands of the job (Figure 6). Nearly 30% strongly agreed that alert/investigation fatigue is a real issue, and more than 20% strongly agreed with the statement that “I am feeling burnt out in my job.”
Leaders need to take these warning signs seriously. There’s no quick fix when a fifth of the team leaves for less stressful pastures. More than 30% of respondents strongly agreed that recruiting and hiring DFIR professionals is a major challenge, and 27% strongly agreed that onboarding new hires is also challenging.
Globally, there’s a well-documented shortage of cybersecurity professionals, and it will be many years (if ever) before the gap is filled by new graduates from specialized post-secondary training programs. Today, automation can help to address some of these personnel challenges by freeing up the in-house expertise that an organization already has. As well, organizations should invest in tools that extend some DFIR functions to other security personnel and in solutions that enable faster analysis by presenting data in an intuitive and easy-to-understand way.
As the ongoing digital transformation has caused data volumes to soar, it has become more difficult for DFIR practitioners to access, collect, process, and analyze the range of artifacts needed to obtain a complete view of an incident.
At the same time, the set of potential data sources has rapidly expanded to now include computers, mobile devices, software-as-a-service (SaaS) applications, cloud-based storage, IoT devices, and practically anything with telemetry (e.g., automobiles).
Unfortunately, today’s workflows still rely too much upon the manual execution of many tedious and repetitive tasks, consuming expertise and slowing down investigations. For example, when evidence is needed from several endpoints, it often falls on the investigator to proceed in a one-by-one sequence until all the data is collected and processed. Only then can they examine the evidence and prepare a report.
These tasks don’t require applied brainpower yet still consume an expert’s time and, while necessary, they are already a known issue: 37% of respondents characterized time consuming repetitive tasks as either a large or extreme problem in the context of investigations (Figure 5).
Additionally, the lack of integration and interoperation noted above often forces DFIR professionals to constantly switch from one forensic tool to another. Over time, and across the growing number and complexity of investigations, all this switching adds up—slowing down investigations and wasting the time of experts who are already in short supply.
Again, DFIR professionals are pointing the way forward (Figure 7). More than half of respondents indicated that investments in automation would be either extremely or highly valuable for a slew of DFIR tasks, led by remote acquisition of endpoints (56%).
VALUE OF FUTURE AUTOMATION INVESTMENTS (MOST VALUABLE TO LEAST VALUABLE)