How Security Orchestration and Automation Fit into Your Incident Response Plan
In the wake of a security incident, you need to be able to respond fast and effectively. There are many frameworks today that help you develop your incident response plan, and provide a step-by-step approach to follow when an incident occurs. But even with a framework to guide you, many of the steps are tedious, repetitive, and time-consuming.
This is where incident response orchestration and automation comes in.
In this post, we’ll take a look at some of the most commonly used incident response frameworks and how you can orchestrate your tools and processes, and use incident response automation to accelerate time-to-response.
Incident Response Frameworks
Many organizations rely on incident response frameworks to develop their own internal processes. Before we cover where automation fits in, let's take a look at popular frameworks in use today.
Developed By: National Institute of Standards and Technology
What it Does: The NIST framework is designed to help organizations develop their incident response teams and processes in order to properly plan for, assess, respond to, and recover from potential threats.
The main components of the NIST incident response plan are:
Preparation → Detection and Analysis → Containment, Eradication, and Recovery → Post-Incident Activity
For more information on this framework, view the complete documentation here.
Developed By: Computer Emergency Response Team (CERT)
What it Does: This handbook includes a popular framework which companies often use to model their own incident response plans. The handbook also covers how to set up an incident response team, as well as the tools and workflows to use to effectively respond to security events.
The main components of the CERT incident response plan are:
Reporting and Detection → Triage → Analysis → Incident Response
For more information on the formation of a CSIRT and CERT’s other guidelines for creating an incident response plan, view their documentation here.
ISACA Incident Management and Response
Developed By: The Information Systems Audit and Control Association (ISACA)
What it Does: This framework is an incident response plan companies use when becoming COBIT compliant. This plan models the ways in which companies can manage risk and establish controls and protections over information systems, technologies, and intellectual property.
The main components of ISACA's incident management and response plan are:
Planning and Preparation → Detection, Triage, and Investigation → Containment, Analysis, Tracking, and Recovery → Incident Closure
For more information on implementing ISACA's incident management and response framework, view their documentation here.
Developed By: International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)
What it Does: ISO/IEC 270035 is a rigid and formal incident response framework that organizations are required to implement when becoming ISO 27001 compliant which establishes specific and detailed steps to manage and respond to security threats.
The main components of the ISO/IEC incident response plan are:
Notification → Classification → Treatment → Close → Continuously Improve
For more information on the ISO/IEC incident response framework, view their documentation here.
Of course, there are many more incident response frameworks, but all plans incorporate many of the same concepts and goals, and can leverage automation accordingly.
Tips for Incident Response Automation
While each framework takes a slightly different approach, some more detailed and specific than others, there are four main stages in any incident response plan:
Automation is best leveraged in the middle of the incident response process, where the most detailed, repetitive, and time-sensitive tasks occur. These tasks include detection, analysis, and response, and are typically found in the containment and eradication phases. Of course, you'll need to integrate your systems and tools before automation can be utilized.
The other phases — preparation, recovery, and post-incident activity — are where your team’s time is best spent applying analytical and critical thinking, whereas the other steps can be almost entirely automated. Here’s what this can look like:
Automating Detection & Analysis
In this phase, the incident response team is notified of a potential issue and begins analyzing it to determine if it is in fact an incident. If so, it can be immediately escalated for containment and remediation.
Incident response automation can help with all three steps in this phase: notification, analysis, and escalation.
Often email notifications get lost in the daily deluge of emails, so to ensure no alert is missed, you can orchestrate your security tools and automate workflows to notify team members of an incident. This means that the moment one of your security tools detects suspicious activity, an alert can be sent directly to your incident management platform (e.g. PagerDuty) or a team-wide communication channel (e.g. Slack).
With alerts sent directly to the tools your team uses every day, you can ensure the right people see them at the right time.
To determine if an incident is real and gather further details, often you need to do some digging around. This can include IP lookups, domain investigations, log retrieval, account containment, and so on. If you’ve done any of these tasks, you know they can be quite time-consuming.
With incident response orchestration and automation, you can integrate the systems that contain this data and automate analysis tasks so that you and your team no longer have to bear the burden of manual work and can instead save time and effort for response.
If there is in fact a real incident, it needs to be escalated for remediation. This typically requires creating a high-priority ticket in a case management system such as JIRA and assigning it to the appropriate people. This, too, is a repetitive task that can be accomplished faster through automation.
Incident response automation can connect your security tools with your case management solution so that once the analysis phase is complete and the incident is verified as real, a ticket will be created automatically so that it can be escalated to the appropriate team member(s) and remediated immediately.
Automating Containment, Eradication & Recovery
Once an incident has been escalated and the appropriate team members receive the ticket, it’s time to jump into response mode. Responding to a threat also requires many detailed steps, including:
- Containing the threat
- Removing malicious code or artifacts
- Performing backups and restores
- Changing passwords and deprovisioning malicious users
- ...and more, depending on the specific incident
Each of these steps can take time, and with how fast threats can spread across networks and devices these days, it’s never been more important to accelerate the process of detecting, containing, and removing threats before they do significant damage.
Implementing Incident Response Automation
When brought into the incident response process, automation can accelerate event and incident notifications, analysis, and response. By orchestrating your security tools and automating workflows between them, incident response automation can handle much of the process so that your only job is restoring your business back to normal function.
If you're ready to get started with incident response automation, we suggest reading our eBook on security automation best practices. In this guide, you'll learn:
- How to prepare your organization for success with automation
- Criteria for building or buying a security automation capability
- When to bring automation in for maximum effectiveness
- Which processes to automate and how to get started
Security Automation Best Practices
About Jen Andre
Jen is the founder and CEO of Komand. Before Komand, she co-founded Threat Stack, a leading innovative cloud security monitoring company based out of Boston. She has spent a career in security working at companies Mandiant and Symantec and has a background in engineering and security operations.