Automation and orchestration have quickly become an integral part of incident response (IR), and grabbed the industry’s attention in the process. That’s because SOC and IR teams have long needed a way to keep up with daily barrages of advanced threats and alerts. But the shine of the spotlight has attracted a number of vendors who are narrowly focused on developing and marketing automation features, rather than a full-lifecycle, enterprise-grade incident response platform.
Automation and orchestration are important—they’re integral parts of D3’s incident response platform after all—but there are a lot of other important aspects to cybersecurity incident response. During a security incident, no analyst wants to waste time jumping between applications, collaborating via insecure email, and generating analytics in Excel, but that is the reality of having a solution that can’t support the full incident lifecycle.
When looking for a full-lifecycle incident response solution, here are three key features you should keep in mind, because a lot of automation and orchestration platforms don’t do them very well—or in many cases, don’t do them all.
Every incident occurs in a greater context, and while automation is great for gathering and presenting data from threat intelligence, reputation checks, and SIEM, it still doesn’t tell you:
- How a threat came into your organization (the root cause)
- What you need to do to stop it from happening again (corrective action)
- What you can do better next time (lessons learned)
This is where case management is invaluable. Being able to manage and document the entire incident workflow creates a database of high quality information that can be used in root cause analysis, event timelines, trend reports, and link analysis. The best case management systems even guide users through important processes like identifying root cause and assigning corrective actions, making conclusive remediation an integral part of the program.
Using case management, analysts can also streamline investigations by grouping related incidents together, easily search across past incident data, and reduce task duplication through built-in auto- and cross-correlation features. These capabilities help IR teams improve over time through better information and more efficient processes.
Truly comprehensive incident response programs regularly involve groups outside of the security team. An often-overlooked consideration is that, in order for this collaboration to be secure and compliant, your platform needs to have granular access controls.
Access controls allow data owners to control exactly who can access the data, down to specific fields within an incident record. This level of control is necessary because privacy regulations in many industries and jurisdictions closely restrict who is allowed to access certain types of data, such as personally identifiable information. Strong access controls also bolster information security, because every person who has unnecessary access to sensitive data creates additional risk of data leakage.
Access controls are surprisingly neglected in most automation and orchestration-focused incident response platforms, which either offer shallow functionality or none at all. However, they are an important component of any solution that can provide value beyond the security team, such as through collaboration with legal, HR, PR, and the executive team.
Automating incident response tasks is a great way to keep analysts focused on the most important things, but this efficiency comes at the cost of decreased visibility into the processes as a whole. When analysts aren’t looking at certain types of tasks, they are much less likely to notice problems.
This is why automation and orchestration should be complemented with robust reporting capabilities. Reports give you a clear view of your incident response program, either on an ad hoc basis, or regularly scheduled so you don’t miss anything. Reporting is the best way to identify trends and understand links within your data. It also is invaluable for measuring performance, allowing you to assess your employees and the effectiveness of your program, such as identifying procedural bottlenecks.
Reporting is how the day-to-day activity of your SOC is communicated within the security team, to supervisors, and to upper management. Without strong reporting, you won’t have easy access to the data you need to inform strategic decisions. Which is what makes it such a conspicuous absence from many automation and orchestration platforms.
The D3 Full-Lifecycle Solution
D3 does automation and orchestration, but that’s just part of our platform. Because our solution has evolved out of more than 15 years of incident response experience, we have a strong foundation in place. That means robust case management, compliant granular access controls, and reporting on basically any data you can think of. We even go beyond that with features and modules like root cause analysis, link analysis, threat intelligence integrations, and much more.
We think that vendors should offer complete solutions, not just one piece of the puzzle. Check out our incident response buyer’s guide to see all of the characteristics that we think you should insist on from your incident response platform, or book a demo to see our technology in action.