5 Common Incident Response Problems that SOAR can Help Solve

By Stan Engelbrecht July 31, 2017 incident-response, security-orchestration-automation-response

Most companies that are struggling with their incident response program fall into two categories:

  1. They don’t realize what their problems are, because they’ve always done things a certain way
  2. They know exactly what their problems are, but don’t have the resources to fix them

Whichever category your company is in, you probably have many of the same problems as other organizations. There are a handful of universal issues with which almost every incident response program struggles. Incident response platforms (IRPs) have always offered some assistance with these issues, but recent advances in automation and orchestration technology have vastly expanded the impact an IRP can have.

In this post, we’ll look at five of the most common incident response problems and how an IRP that leverages automation and orchestration can help solve them.

Problem #1: Lack of Personnel

Perhaps the most obvious problem to many security analysts is that they are too busy to give major incidents the time they deserve. It’s no secret that most SOCs are understaffed and overworked. Unfortunately this problem reinforces itself: if a company is unable to hire enough analysts, their analysts become stressed and dissatisfied; those employees are more likely to quit, which makes the hiring problem even worse.

An IRP with security automation solves the two problems going on here: the quantity and quality of analysts’ work. With automated investigations and actions, analysts don’t have to spend their time on repetitive low-risk tasks. Better information to identify false positives also reduces the number of alerts analysts need to respond to, and automated reporting and notifications mean analysts can collaborate without getting bogged down in time-consuming administrative tasks.

Being able to focus primarily on challenging security incidents keeps analysts happy, and should result in lower turnover across your security team.

Problem #2: Lack of Context

Ironically, the problem that security analysts face isn’t a lack of information; it’s that there’s too much information with no way to make sense of it. In most SOCs, an overwhelming amount of security data comes in through multiple systems, but it stays in those separate repositories. When an analyst is evaluating a new incident, they have to gather the information they need manually, going from system to system.

With automation in place, each incident can be automatically enriched with both external (e.g. file reputation, threat intelligence) and internal information (e.g. SIEM data, link analysis, previous incident records). This instantly demonstrates the context of the incident, not only saving analysts from having to waste time gathering data, but also isolating the important information to inform their decisions.

Problem #3: Lack of Scalability

Your existing incident response processes might work fine—but only at a certain scale. Manually managing tasks, communications, and investigations is feasible for minor incidents, but when a major incident hits, you’ll be in trouble. Incidents that involve thousands of workstations, compliance reporting, and complex forensics will quickly reveal the shortcomings of an ad hoc incident response program.

A centralized platform with automation and orchestration features is the best way to scale your response capability and prepare for major events. Automation allows you to conduct investigations and conduct actions at a large scale, instead of, for example, manually pulling data from every affected system and blocking individual IPs. Orchestration features leverage centrally logged data to communicate tasks across teams and execute workflows throughout the company, facilitating fast and consistent response at scale.

Problem #4: Lack of Collaboration

In most organizations, teams work in siloes. These divisions are reinforced by the tools teams use, because without common software solutions, it is especially hard to communicate securely, share data, and work together on tasks. Many companies are forced to rely on emails, spreadsheets, and other makeshift methods for communication and collaboration.

For collaboration to be efficient, secure, and properly archived, there needs to be one centralized system that supports users beyond the security team. An IRP with security orchestration features can perfectly meet this need. Automated notifications, reporting, and task assignments make collaboration part of the everyday workflow. Task management dashboards and case management folders enable users to track and share work across teams. As an added benefit, a strong IRP will have configurable access controls, so data confidentiality can be preserved when sharing incident records between teams.

Problem #5: Lack of Prioritization

Reducing incident volume isn’t the only way to alleviate the strain on your analysts. You can also do it by effectively prioritizing the incidents they deal with. Many companies don’t have a way to determine how potentially serious an alert is until after it’s been investigated. This leaves most analysts spending the majority of their time chasing after alerts that turn out to pose no real threat.

Organizations with solid incident record data have an incredible resource to tap into, yet many don’t even realize it. By tagging every resolved incident as either a false positive or a true positive, you can build a dataset that your IRP can mine to learn what factors most highly indicate false positives. Then automation and orchestration can be used to automatically resolve events that are very likely to be false positives, or sort them to a lower priority position in analysts’ queues.

D3’s Incident Management Platform is a comprehensive solution that harnesses the latest innovations in automation and orchestration for fast, conclusive, and scalable incident response. D3’s platform is built to support some of the largest, busiest, most advanced security teams in the world, which is why more than 100 of the Fortune 500 already use D3. Schedule a demo today to learn more.

Stan Engelbrecht

Stan Engelbrecht

Stan is the director of D3’s cybersecurity practice and an accredited CISSP. Stan is involved throughout the product delivery and customer success lifecycle, and takes particular interest in working with customers to configure organization- and industry-tailored solutions. You can find Stan speaking about cybersecurity issues at conferences, in the media, and as the chapter president for a security special interest group.


Comments

Add a comment:

email

username

url

your comment

Your comment will be revised by the site if needed.