- SOAR 101
Incident response platforms (IRPs) are powerful software solutions with wide-ranging feature sets. Many features are common across platforms, but each vendor has a unique approach to incident response, and the features they include or omit from their solution will reflect that perspective. At D3, we’ve been honing our approach to incident response for the past 15 years. Here are 10 features that we think all companies should look for when they are choosing an IRP.
To empower employees across your organization to report incidents, look for a solution with a built-in enterprise-level ticketing system, or at the very least a strong integration with a third-party solution. This feature helps you leverage the knowledge of your entire workforce, not just your security team.
Most IRPs will support some basic SIEM integration, such as receiving alerts and using SIEM data to enrich incident records. The best solutions go further, supporting two-way integration for custom searches and digital forensics.
Even the most experienced security analyst will benefit from access to the collective knowledge of the cybersecurity industry. Threat intelligence feeds collect and share the latest information on known cybersecurity threats. Integrations with these feeds will enrich your incident records with contextual information to streamline threat identification and triage.
Playbooks are how an IRP helps your analysts determine, execute, and track their actions in response to an incident. For the highest quality response, the playbooks that guide your processes should be based on proven standards, such as the NIST 800-61 Incident Handling Guide, with room for specialization and customization when required.
Automation can cause problems when overused, but is a big time-saver for some tasks related to information gathering, such as looking up SIEM data, IP reputation, IP geolocation, file reputation, and attaching SIEM log files to incident records. Also valuable is the ability to do manual follow-up investigations via a command line interface to an external source, such as a SIEM or threat intelligence feed.
The future of incident response is the convergence of security, risk management, and compliance. An IRP should not be solely a tool for the security team; it needs to support your compliance obligations, such as Cyber SAR, HIPAA data breach reporting, and 23 NYCRR 500. Workflows and playbooks should include steps for compliance, and the IRP should allow for collaboration with your compliance team.
A strong visual interface can be the difference between just having the data and truly understanding it. Dashboards give analysts a clear look at the most important data, with options to save presets, drill down, and chart analytics. Dashboards can also be used for project management, as a quick way for an analyst to see the status of their tasks and the latest investigation updates.
For your incident response processes to evolve over time, you need to be able to make sense of patterns and trends across the incidents that you encounter. Link analysis shows you the connections between everyone and everything, such as the people involved in cases, threat indicators, locations, investigations, and more.
A major cyberattack is rarely limited to a single incident, but many IRPs restrict analysts to managing each incident separately. Case management allows you to bring together multiple related incidents—along with their associated contextual data, analyst notes, and digital evidence—in a unified case to avoid repeating tasks across each incident.
Many IRPs only go as far as treating the symptoms. A more effective solution will go deeper to identify and remediate the root cause of the problem, which helps prevent recurring incidents from overwhelming your team.
There are many valid approaches to incident response, and every organization’s needs are different; however, we believe these 10 core features to be universally valuable for any incident response program. To learn more about the components of an effective IRP, read our white paper, Go Beyond Incident Response: the Benefits of a Complete Incident Management Platform.
To Learn More About D3’s Incident Response Platform Click on the Button Below to Schedule a Demo