Sometimes it seems like you need to be a CISSP just to understand the variety of incident response platforms (IRPs) on the market. Cybersecurity incident response is still a relatively young industry, and the solutions on offer comprise a wide range of different functionality and technology. Compounding this confusion is the fact that the terminology used to define products is inconsistent across vendors. The result is that buyers are left in the undesirable position of relying on vendors to explain to them what they need.
In order to clarify the landscape and arm prospective customers with the information they need, we’ve created an Incident Response Buyer’s Guide. While there are many valid approaches to designing an IRP, our experience in the field has led us to believe that certain features and capabilities are universally valuable. We’ve listed them in the guide, and made our case for why they will help your incident response program. We’ve also included a section on deliverables that you can measure to assess an IRP’s effectiveness, and another on how to evaluate vendors.
A quick run-through of each section is below, but be sure to check out the complete Buyer’s Guide here, in order to get the full value.
In our Buyer’s Guide, we’ve broken out our discussion of the platform into two sections: (1) Effectiveness and Ease-of-Use, and (2) Key Features. The first section looks at the characteristics of an IRP that will maximize its value over time, and allow it to support your business requirements. These include:
- Workflow orchestration: Is the IRP you’re evaluating capable of streamlining the administrative aspects of incident response with custom workflows, automated notifications, and collaborative tools?
- Scalability: How to assess an IRP’s ability to grow alongside your needs, both in terms of volume and scope (e.g. new integrations, incident types, and regulatory requirements).
In the second section, we list 10 key features that every effective IRP should have. These include:
- Investigative link analysis: The connections that help you understand the context surrounding each incident.
- Security automation: Reducing analyst workload by automating time-consuming tasks that don’t require human input.
- Threat intelligence enrichment: Adding the latest information from the cybersecurity community into every incident record.
- Forensics case management: Bringing multiple related incidents, and artifacts, together for deeper collaborative investigations.
Features are only as good as the outcomes they lead to. In this section of the guide, we discuss five deliverables that you should be aiming for when evaluating your IRP, and your incident response program as a whole. These include:
- Reduced incident response times: Speed is key to mitigating damage, so a new IRP should be able to accelerate your average response through automation, well-defined workflows, robust reporting, and more.
- Reduced incident volume: One of the long-term goals for your incident response program should be to reduce recurring incidents. Your IRP can support this goal through root cause analysis and corrective action.
A great deal of an IRP’s value comes from the vendor that produces it. IRPs evolve over time, requiring an active vendor that maintains, upgrades, and innovates in order to keep the product on the cutting edge. In this final section, we provide three characteristics by which you can assess an incident response vendor: experience, expertise, and engagement. If a vendor is strong on all three, you won’t just be getting good software, you’ll be benefiting from a team of attentive experts who provide your incident response program with specialized support.
This is just a small sampling of the content in our comprehensive Buyer’s Guide. Download the guide to get the complete set of must-have features, insider tips, and assessment criteria.