Why an IT Ticketing System Won’t Work for Incident Response

Cybersecurity incident response is a relatively young corporate function. So it’s no surprise that companies are trying to leverage tools they already have to manage incidents and assign tasks. For many organizations, this means trying to configure an incident management workflow into their IT ticketing or IT service management (ITSM) product.

Not surprisingly, ITSM vendors and their user bases—IT teams—support this approach; however, cybersecurity folks need to be careful. ITSM tools simply don’t have the case management, orchestration and reporting capabilities that are the hallmark of a good incident response platform. Even ITSM products with dedicated incident response modules lack important access control and security features because they’re built on a platform meant to be open and accessible, not granular and secure.

We can all agree that the worst time to realize your incident response solution doesn’t cut it is during a major incident or data breach. That’s why we’ve put together this blog post and the whitepaper below; to help customers better understand the differences between IT ticketing and incident response platforms.

How Would an IT Ticketing System “Work”?

IT ticketing systems are used to create, assign, update, and track “tickets” across an organization. They have been designed specifically for use in an IT support role. To use an IT ticketing system for incident response, an analyst would have to:

  • Manually create a ticket upon detection or notification of a security event by a disparate or siloed system
  • Manually gather and correlate relevant contextual information from other data sources
  • Manually assign a ticket owner and priority level
  • Manually assign other stakeholders for collaboration
  • Ensure that all users record changes or notes in the ticket, through to the point of resolution
  • After the event, manually create reporting and metrics that are important to incident responders

As you can tell, there are many manual processes and no integration, orchestration or automation that makes an analyst smarter and faster. This process will elevate task/case assignment, incident processing and remediation times, and drastically heighten the risk of fast-moving threats like ransomware or other advanced persistent threats (APTs).

Understand the Downsides

Poor Security and Confidentiality

IT ticketing systems are designed to be open and accessible, not secure and confidential. Most systems do not have the access controls in place to adequately protect the confidential or sensitive information that is included in many security incidents. This can create information security vulnerabilities and compliance violations, and can also result in reducing the effectiveness of incident response, because analysts must be selective about the information they include in incident records.

Poor access controls also add to the risk of a data breach. A malicious outsider who gains access to even a junior-level account can move indiscriminately throughout the system, with access to the most confidential data.

Ill-Equipped to Respond to Cyberattacks

Modern hacking methods are fast, agile, and sophisticated. IT ticketing systems, because of their reliance on manual execution of information gathering, threat validation, and triage of incidents, cannot keep up with this type of attack. In general, IT ticketing systems do not integrate with SIEM or threat intelligence sources, and do not offer any automated investigative capabilities. They are simply for identifying and tracking issues. Unfortunately, in the current cybersecurity environment, by the time an analyst can manually assess and input all of the contextual information related to a malware attack, the damage has probably already been done.

Not Designed for Incident Response

Organizations that use IT ticketing systems for incident response generally do so because it is the only option they have in place. While these systems may close some organizational gaps, and—with some creative deployment—support a rudimentary incident response program, the truth is they are not designed to be used in this way. Even if the system appears to be meeting an organization’s needs for secure and compliant incident response, it is likely compromising the speed, definitive resolution, and clearly defined delineation of responsibilities that are necessary for an effective long-term incident response program. After all, the workflow may look good in your planning meetings, but once deployed the technology must be able to handle multiple major incidents, consistently and swiftly.

IT Ticketing Systems vs. D3 Incident Management

D3’s Incident Management Platform is purpose-built to support every aspect of the incident response lifecycle, from deeply configurable integration with SIEM and other source systems, to various built-in tools for validation, triage, response and root cause analysis. D3 supports granular information access controls, which ensure that no one can see information that is beyond their level of authorization. This capability, which can be linked to an organization’s Active Directory, is particularly useful during data breaches that involve intellectual property, or confidential or protected information.

D3 technology empowers a company’s incident response function with the ability to make fast, informed, and conclusive action against any incident or breach. Flexible and adaptable, our platform can even help analysts manage zero day attacks through real-time orchestration, link analysis and threat intelligence enrichment; capabilities not seen in any ITSM platform. From integration with SIEM and threat intelligence, to its powerful incident response playbook library and automation capabilities, the D3 platform provides the tools and tactics needed for cyber incident response in today’s major enterprise.

No ITSM platform can say the same.

To learn more about why IT Ticketing Systems don’t offer an adaptable effective approach to today’s sophisticated cyber threats, download our whitepaper.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.