orchestrate_response_icon

Orchestrate incident response

Six steps to outsmart cyberthreats with security orchestration and automation.

orchestrate_response_icon

Orchestrate incident response

Six steps to outsmart cyberthreats with security orchestration and automation.

Today’s SOCs are overburdened


Around the world and across all markets and industries, today’s security operations centers (SOCs) are overwhelmed. Numerous factors contribute to this ubiquitous problem, but three main issues form the heart of the problem: the increasing volume of cybersecurity incidents, the widespread shortage of qualified technology professionals and increasing enterprise complexity.

It isn’t just the high-profile data breach scenarios that are cause for alarm, although these attacks are some of the most serious threats that companies face. Malware and phishing attacks, everyday challenges to effective security monitoring and regulatory and compliance considerations are just some of the top concerns that IT and security professionals struggle with.

Every day, modern enterprises must contend with an array of specific cybersecurity challenges:


  • Volume of security alerts and false positives is growing.

  • Analyst time is consumed by reporting and metrics.

  • Cyberattacks are especially complex and targeted.

  • SOCs need to manage dozens of tools across multiple vendors.

  • Incident response is still too manual and reactive.

  • Privacy notification requirements are complex and time-consuming.

What is your biggest incident response challenge?

%

responds incident response processes

%

responds disparate tools

%

responds insufficient budget

%

responds alert volume

Incident response processes

Disparate tools

Insufficient budget

Alert volume

Incident response challenges are a large part of the problem


77%

Pictogram representing an organization by using a building.

Of organizations don’t have a proper incident response plan¹


57%

Pictogram representing the averge response time to resolve cyber incidents by using a lock and timer.

Of security professionals say the average time to resolve a security incident has increased in the past 12 months¹


42%

Pictogram representing security professionals with a police officer and a warning sign.

Of security professionals say their organizations ignore a significant number of security alerts because they can’t keep up with volume²


1.8M

Pictogram representing cyber security with a document and a lock.

The growing gap between available qualified cybersecurity professionals and unfulfilled positions by 2022³


$3.86M

Pictogram showing a scatter plot and a warning sign to represent data breach.

Average cost of a data breach⁴

Free your business to thrive with orchestration


The good news is that as a cybersecurity leader you can start solving these critical issues for your organization today and free your business to thrive both now and for the future. You can empower your security analysts with a comprehensive strategy that puts incident response (IR) processes and tools right at their fingertips when they need it most.

Wavy floating lines across the screen from middle of the page to right edge.

How? By instituting a proactive incident response process that is built on the foundation of people, process and technology, you can enable IT and security teams to:


  • Access the right information quickly and make the best decisions for stopping and remediating the attacks that threaten your business.

  • Leverage automation to keep up with the volume of alerts, increasing the productivity of security analysts and technologies.

  • Bridge the skills gap to conquer the speed and sophistication of modern cyberattacks.

  • Implement dynamic playbooks to manage different threat types with people, process and technology.

The key components of intelligent, orchestrated incident response

Security orchestration is a constantly evolving process, not an out-of-the-box product you can implement one time, flip a switch and never worry about again. However, if you take the time and effort to build your incident response strategy on the following core capabilities, you’ll have a strong foundation for defeating cyberthreats today and tomorrow, with built-in methods for fostering continuous improvement over time.

Pictogram represnting incident response plans with a document and a check box checked.

Key elements of a winning IR plan

  • Orchestration and automation

    – Robust, dynamic incident response playbooks that adapt in real time as incidents unfold.

    – Integration of your security information and event management (SIEM), incident response platform and other security solutions to enable automated incident escalation, enrichment and remediation.

    – Automation of repetitive and time-consuming tasks.

  • Human and artificial intelligence

    – Codified expertise and intelligence from your top security staff and experts across the organization.

    – Advanced threat intelligence and artificial intelligence to enhance incident investigation, unstructured data analysis and threat correlation.

    – Collaboration with external security experts to augment your team for threat intelligence, analysis and investigations.

  • Case management

    – An established system of record for measuring and analyzing incident response processes and performance.

    – Processes for applying learnings to IR plans as needs evolve.

    – Augmentation of your team’s capacity and skillsets with security services.

In which of the three key areas of Intelligent Orchestration do you feel your organization needs to improve the most?

%

responds case management

%

responds orchestration and automation

%

responds human and artificial intelligence

Case management

Orchestration and automation

Human and artificial intelligence

The outcomes of orchestration, automated incident response


Equation graphic

Key tactics: Cyberattack readiness checklist

As you begin the journey toward a more streamlined SOC, you may uncover numerous issues that need addressing at each phase of the cyberattack lifecycle. Before you dive into this guide, here’s a contextual overview of the key capabilities you’ll need to implement as you create a holistic defense strategy.

Before an attack

  • Prepare robust and automated IR workflows spanning people, process and technology.

  • Use human and artificial intelligence to identify threats and anomalies early in the attack cycle.

  • Build the right teams and help those teams develop, prepare and practice IR playbooks.

During an attack

  • Guide security analysts through a fast, complete response and automate incident investigation and remediation.

  • Apply artificial intelligence to rapidly investigate and triage threats.

  • Quickly augment your team with on-demand IR experts. You need existing relationships and rapid access to the people who have the expertise to combat the threat.

After an attack

  • Continually assess and refine IR processes.

  • Continuously tune detection mechanisms based on lessons learned.

  • Perform post-mortem analyses and improve IR processes on an ongoing basis.

Making cyber resilience a reality: The six steps


Cyber resilience is a fundamental component of an organization’s overall security posture. So what constitutes resilience and why is it such a valuable capability? Simply put, cyber resilience is the ability to prevent, detect and respond to cyberattacks while maintaining the core purpose and function of the enterprise. In other words, a cyber-resilient organization is “one that can prevent, detect and recover from a myriad of serious threats against data, applications and IT infrastructure.”¹


Ready to be prepared, responsive and resilient?


Follow these six steps to create a customized, integrated IR strategy that makes the most of orchestration and automation, human and artificial intelligence and case management. By answering the questions and completing the tasks on these checklists, you’ll be on your way to effectively conquering the threats you face both now and in the future.

Wavy lines.
Pictogram showing a target cross hairs to outline step one: knowing the threats.

Step 1

Know your enemy: Understand your threats — both internal and external

External attacks

  • What types of cyberattacks has your organization faced in the past? (Phishing, malware, botnet, ransomware, etc.)
  • What types of threats are known to affect your industry in particular? (For example, healthcare organizations often see more ransomware attacks, and internet infrastructure companies are especially prone to DDoS attacks.)
  • Are you too focused on certain types of threats and/or regulatory concerns (e.g., HIPAA or GDPR) which divert resources away from other vulnerabilities?

Privacy breach considerations

  • What are your privacy obligations, including industry regulations, state/federal data breach laws and contractual agreements?
  • Who needs to be notified, and what channels do you use to communicate the information?
  • What is the time limit for notifications, and are you able to meet this requirement?

Internal priorities

  • What skill sets do your security professionals currently have?
  • Which skills do you need to add most urgently? To uncover gaps, it may be helpful to consider areas such as time to completion on individual tasks and workload balance.

Pictogram showing a compass over a document to outline step two: building a standard, documented incident response plan.

Step 2

Be prepared: Build a standard, documented and repeatable IR plan


  • Do you have a codified IR plan, even if it is less effective than it needs to be at present?
  • Do you lean on informal, ad hoc processes when unforeseen incidents occur?
  • Does your security leadership prioritize incident planning, and do they involve other business units in the development and refinement of these processes?
  • Do you have an established process for reviewing and improving incident playbooks?

Depending on your answers to the questions above, you may benefit from conducting an enterprise-wide workshop to overhaul your incident planning approach and establish the importance of effective IR in the minds of leaders from marketing, HR, legal, IT, customer service and other departments. External third-party entities, like business partners and vendors, can also be a part of the conversation. When all stakeholders truly understand the risks and benefits involved, they’ll be much more likely to contribute in meaningful ways to the building of a standard, documented and repeatable IR plan.

Resources like NIST, SANS and CERT can provide great frameworks for these conversations and plans, but your IR plans will ultimately need to be specific to your organization. A focused workshop can be effective for galvanizing leadership around the IR cause and getting input around their specific areas of expertise.

During an IR planning workshop, teams should work together under the guidance of security leadership to:

  • Walk through specific incident scenarios.
  • Map out specific steps that need to be taken to resolve an incident throughout its lifecycle.
  • Determine roles and responsibilities.
  • Identify the key technologies and channels of communication to be leveraged during a response.
  • Build processes around permissions and escalations.

By the end of these exercises and conversations, your team should have well-considered, repeatable and documented plans that can be centralized, followed by anyone on your team and continually improved over time.


Pictogram showing a line chart and a clock to outline step three: proactive testing and improvement of incident response plans.

Step 3

Keep improving: Proactively test and improve IR processes


Once you have a documented plan, you’ll need to test it. And test it. And test it again. One of the most effective ways to keep IR capabilities driving forward is running simulations in a dedicated, results-driven manner.

Here are some probing questions that will help you create the meaningful simulations that will prime your team’s response to any threat that emerges:

  • Do you want to practice commonly seen incidents, or prepare for something unexpected? Both types are valid to explore.
  • Are your simulations thoughtful and specific? Do they include important details your analysts will need to search for? Do they force your teams to think critically as opposed to ensuring that they can simply check the required boxes?
  • Are your simulations measurable? Do they have specific goals with trackable metrics, such as time to completion and level of completeness?
  • Are you scheduling repeat simulations to measure improvements and regressions?
  • Do your simulations involve participants from all the relevant groups across the enterprise, such as HR, legal and marketing?
  • As you practice, do these departments feel more confident that they have what they need to respond when incidents arise? Are you giving actionable feedback along the way?
  • Do you have a process and an effective avenue for sharing the results of post-simulation analysis across the organization?

Pictogram showing a series of shapes depicting data organized in a circle to outline step four: leveraging data and intelligence into incident repsonse planning.

Step 4

Put data to work: Leverage tools, intelligence and data sources


When a cyberattack is underway, you need the ability to make quick, informed decisions and adapt to ever-changing information. Because incidents rarely emerge fully formed, your IR playbooks must be built to adjust as your investigations uncover more details. The most effective incident response platforms (IRPs) offer a central hub of control that integrates with your existing security technologies, pulls intelligence from the right data sources and automatically adjusts your playbooks as you investigate, isolate and remediate.

As you build your intelligent orchestration capability, look for these key components of your IRP:

  • A central hub to process, track and resolve incidents.
  • Seamless integration with security technologies such as SIEM and EDR.
  • Enrichment of indicators of compromise (IOCs) with threat intelligence.
  • Correlation of suspicious events using artifact visualization.
  • Agile playbooks that update automatically as incident information is uncovered.
  • Integration with ticketing systems and other technologies as needed.

What is intelligent orchestration: ask Ted

Intelligent orchestration – the next generation of incident response – is a powerful security capability that uniquely blends human and machine intelligence with orchestration and automation, dramatically accelerating and sharpening organizations’ response to cyberattacks. IBM Resilient's Ted Julian outlines how intelligent orchestration can help organizations outsmart, outpace, and outmaneuver cyberattacks.


Pictogram showing a magnifying glass with a warning sign in it interconnected with data depicted by blocks to outline step five: streamlining incident response and investigation.

Step 5

Get lean: Streamline incident investigation and response


Unfortunately, some incidents often go undetected for weeks or months, giving cybercriminals an opportunity to establish a stronghold on a compromised network. The longer the infiltrators maintain access, the more difficult it becomes to isolate and remediate the threat.

One reason for this widespread problem is that many organizations rely on ad hoc processes for investigating even the most common cyber incidents like phishing attacks on employees. Because of the skills gap, organizations that actually have the right tools and technology still struggle to manage the volume of incidents, most of which pose low levels of threat.

Automation streamlines menial, repetitive tasks, which takes them off analysts’ plates so that humans can focus on what humans do best: think critically. With these tasks out of the way, your workforce is freed up to make strategic decisions about potentially catastrophic threats based on severity, context and protocol.

To find the right places to begin implementing automated solutions, the following questions are helpful:

  • Which time-consuming, menial and inefficient tasks take up inordinate amounts of analysts’ time?
  • Which tasks can most safely and reliably be automated?
  • In which areas can you script manual actions while still keeping the necessary human decision-making and approval involved?

Once you pinpoint the initial areas where automation will be most impactful, you can use simulations and analysis to test the waters, make adjustments and then finally flip the switch for full automation in key areas.


Pictogram showing people with technology depicted by lines to outline step 6: orchestration of people, process, and technology.

Step 6

Come together: Orchestrate across people, process and technology


If you’ve completed the previous five steps, you now have the basis for an IR strategy that spans the foundational pillars of people, process and technology. To sum up, here are some key questions to help you stay focused and continue improving your ability to respond to incidents effectively across your enterprise.


People

  • Have you ensured your IR team is well-coordinated and well-trained?
  • Do they have the right skills to address all aspects of an incident’s lifecycle?
  • Do they have the means for collaboration and analysis?

Process

  • Do you have well-defined, repeatable and consistent IR plans in place?
  • Are they easy to update and refine?
  • Are you regularly testing and measuring them?

Technology

  • Does your technology provide valuable insight and intelligence in a directed, actionable manner?
  • Does it enable your team to make smart decisions and quickly act on those decisions?

What is your biggest barrier to orchestrating incident response today?

%

responds lack of human resources

%

responds lack of preparation

%

responds insufficient technologies

%

responds lack of leadership

Lack of human resources

Lack of preparation

Insufficient technologies

Lack of leadership

Case study:

How a pharmaceutical leader’s four global security teams work smarter, not harder

Orchestrated incident response: The solution in action


With the growing number of cyberattacks and increasingly complex IT environments, an intelligent incident response plan is more than just a set of instructions; it’s a dynamic foundation built on the alignment of people, process and technology. The result? Faster, smarter and more comprehensive incident response.



the_challenge

The challenge


The story of one IBM Resilient customer illustrates this point. The customer, a global pharmaceutical organization, faced a unique challenge: its four security teams around the world were managing enterprise-wide incidents with different processes. A new corporate policy was implemented to ensure correct handling of incidents by requiring the teams to be on the same system. Their previous response tool was not flexible enough to orchestrate the four teams and meet this request.

Lack of planning and orchestration led to a failed incident response that drew attention to the teams’ disorganization. Each of the four teams responded to a privacy incident simultaneously, and each team gave different recommendations: restrict permissions so only forensic had access, don’t do anything, pull the site down or delete the files. The responsible party simply followed the first recommendation he received instead of considering each one. This disconnect made everyone else’s job harder and more complicated, and the incident was not resolved efficiently.



the_solution

The solution


To fix the problem, the security team chose the IBM Resilient Incident Response Platform (IRP) to fully orchestrate their response. With 15 to 30 incidents to manage per day day — approximately 5,000 total that year — the four teams were routinely out of sync. The IBM Resilient IRP allowed these security teams to connect the humans in the loop with existing technologies and to create specific playbooks for incidents. Through Resilient, this organization was able to fully orchestrate the response process.



Orchestrated response to 15 - 30 incidents per day 5,000 incidents per year



the_results

The results


Since implementing the IBM Resilient IRP, the customer has not only gained significant efficiencies when responding to incidents, they’ve also mitigated risks associated with manual user error. Resilient helps cut down on spelling mistakes and other important tactical concerns. The platform also gives their management sharper, more immediate visibility into the response process. The customer has also been able to leverage 10 key security tools that integrate with IBM Resilient, which has further streamlined the overall approach to keeping the organization secure in the face of threats.



10 key security tools integrated into the IR platform



All in all, the security team was able to cut a string of processes that once took 85 minutes down to just one or two minutes. Today, with orchestrated incident response, the organization’s security teams continually create synergies from the organization’s collective experience and intelligence.



85-minute response time reduced to 1 - 2 minutes


Intelligent orchestration from IBM Security

Guide your security analysts to a fast, efficient, and accurate response with intelligent orchestration – the next generation of incident response. See how the IBM Resilient Incident Response Platform uniquely provides intelligent orchestration by combining incident response orchestration and automation, AI and human intelligence, and case management.

IBM Security is here to help


IBM Security helps you build an intelligent incident response plan with a unique combination of products and services:


  • IBM Resilient: The industry’s leading orchestration and automation platform
  • IBM QRadar: Advanced security analytics and Watson AI
  • IBM X-Force® Incident Response and Intelligence Services (IRIS): World-class security expertise

The IBM Security approach also integrates with a wide variety of offerings and platforms as well, so it’s easy to implement into your existing security ecosystem.

security_graphic

Next steps

card_1

Orchestrate incident response Solution Brief

Explore IBM Security products and services.

card_2

Start your transformation

Discover how to manage incident response with an orchestrated approach.

card_3

Download the ebook

Save and share this document with colleagues.

Sources

Table of contents

Today’s SOCs are overburdened

Today’s SOCs are overburdened


Around the world and across all markets and industries, today’s security operations centers (SOCs) are overwhelmed. Numerous factors contribute to this ubiquitous problem, but three main issues form the heart of the problem: the increasing volume of cybersecurity incidents, the widespread shortage of qualified technology professionals and increasing enterprise complexity.

It isn’t just the high-profile data breach scenarios that are cause for alarm, although these attacks are some of the most serious threats that companies face. Malware and phishing attacks, everyday challenges to effective security monitoring and regulatory and compliance considerations are just some of the top concerns that IT and security professionals struggle with.

Every day, modern enterprises must contend with an array of specific cybersecurity challenges:


  • Volume of security alerts and false positives is growing.

  • Analyst time is consumed by reporting and metrics.

  • Cyberattacks are especially complex and targeted.

  • SOCs need to manage dozens of tools across multiple vendors.

  • Incident response is still too manual and reactive.

  • Privacy notification requirements are complex and time-consuming.

What is your biggest incident response challenge?

%

responds incident response processes

%

responds disparate tools

%

responds insufficient budget

%

responds alert volume

Incident response processes

Disparate tools

Insufficient budget

Alert volume

Incident response challenges are a large part of the problem

Incident response challenges are a large part of the problem


77%

Pictogram representing an organization by using a building.

Of organizations don’t have a proper incident response plan¹


57%

Pictogram representing the averge response time to resolve cyber incidents by using a lock and timer.

Of security professionals say the average time to resolve a security incident has increased in the past 12 months¹


42%

Pictogram representing security professionals with a police officer and a warning sign.

Of security professionals say their organizations ignore a significant number of security alerts because they can’t keep up with volume²


1.8M

Pictogram representing cyber security with a document and a lock.

The growing gap between available qualified cybersecurity professionals and unfulfilled positions by 2022³


$3.86M

Pictogram showing a scatter plot and a warning sign to represent data breach.

Average cost of a data breach


Free your business to thrive with orchestration

Free your business to thrive with orchestration


The good news is that as a cybersecurity leader you can start solving these critical issues for your organization today and free your business to thrive both now and for the future. You can empower your security analysts with a comprehensive strategy that puts incident response (IR) processes and tools right at their fingertips when they need it most.

Wavy floating lines across the screen from middle of the page to right edge.

How? By instituting a proactive incident response process that is built on the foundation of people, process and technology, you can enable IT and security teams to:


  • Access the right information quickly and make the best decisions for stopping and remediating the attacks that threaten your business.

  • Leverage automation to keep up with the volume of alerts, increasing the productivity of security analysts and technologies.

  • Bridge the skills gap to conquer the speed and sophistication of modern cyberattacks.

  • Implement dynamic playbooks to manage different threat types with people, process and technology.

The key components of intelligent, orchestrated incident response

Security orchestration is a constantly evolving process, not an out-of-the-box product you can implement one time, flip a switch and never worry about again. However, if you take the time and effort to build your incident response strategy on the following core capabilities, you’ll have a strong foundation for defeating cyberthreats today and tomorrow, with built-in methods for fostering continuous improvement over time.

Pictogram represnting incident response plans with a document and a check box checked.

Key elements of a winning IR plan

  • Orchestration and automation

    – Robust, dynamic incident response playbooks that adapt in real time as incidents unfold.

    – Integration of your security information and event management (SIEM), incident response platform and other security solutions to enable automated incident escalation, enrichment and remediation.

    – Automation of repetitive and time-consuming tasks.

  • Human and artificial intelligence

    – Codified expertise and intelligence from your top security staff and experts across the organization.

    – Advanced threat intelligence and artificial intelligence to enhance incident investigation, unstructured data analysis and threat correlation.

    – Collaboration with external security experts to augment your team for threat intelligence, analysis and investigations.

  • Case management

    – An established system of record for measuring and analyzing incident response processes and performance.

    – Processes for applying learnings to IR plans as needs evolve.

    – Augmentation of your team’s capacity and skillsets with security services.

In which of the three key areas of Intelligent Orchestration do you feel your organization needs to improve the most?

%

responds case management

%

responds orchestration and automation

%

responds human and artificial intelligence

Case management

Orchestration and automation

Human and artificial intelligence

The outcomes of orchestration, automated incident response

The outcomes of orchestration, automated incident response


Equation graphic

Key tactics: Cyberattack readiness checklist

Key tactics: Cyberattack readiness checklist

As you begin the journey toward a more streamlined SOC, you may uncover numerous issues that need addressing at each phase of the cyberattack lifecycle. Before you dive into this guide, here’s a contextual overview of the key capabilities you’ll need to implement as you create a holistic defense strategy.

Before an attack

  • Prepare robust and automated IR workflows spanning people, process and technology.

  • Use human and artificial intelligence to identify threats and anomalies early in the attack cycle.

  • Build the right teams and help those teams develop, prepare and practice IR playbooks.

During an attack

  • Guide security analysts through a fast, complete response and automate incident investigation and remediation.

  • Apply artificial intelligence to rapidly investigate and triage threats.

  • Quickly augment your team with on-demand IR experts. You need existing relationships and rapid access to the people who have the expertise to combat the threat.

After an attack

  • Continually assess and refine IR processes.

  • Continuously tune detection mechanisms based on lessons learned.

  • Perform post-mortem analyses and improve IR processes on an ongoing basis.

Making cyber resilience a reality: The six steps

Making cyber resilience a reality: The six steps


Cyber resilience is a fundamental component of an organization’s overall security posture. So what constitutes resilience and why is it such a valuable capability? Simply put, cyber resilience is the ability to prevent, detect and respond to cyberattacks while maintaining the core purpose and function of the enterprise. In other words, a cyber-resilient organization is “one that can prevent, detect and recover from a myriad of serious threats against data, applications and IT infrastructure.”¹


Ready to be prepared, responsive and resilient?


Follow these six steps to create a customized, integrated IR strategy that makes the most of orchestration and automation, human and artificial intelligence and case management. By answering the questions and completing the tasks on these checklists, you’ll be on your way to effectively conquering the threats you face both now and in the future.

Wavy lines.
Pictogram showing a target cross hairs to outline step one: knowing the threats.

Step 1

Know your enemy: Understand your threats — both internal and external

External attacks

  • What types of cyberattacks has your organization faced in the past? (Phishing, malware, botnet, ransomware, etc.)
  • What types of threats are known to affect your industry in particular? (For example, healthcare organizations often see more ransomware attacks, and internet infrastructure companies are especially prone to DDoS attacks.)
  • Are you too focused on certain types of threats and/or regulatory concerns (e.g., HIPAA or GDPR) which divert resources away from other vulnerabilities?

Privacy breach considerations

  • What are your privacy obligations, including industry regulations, state/federal data breach laws and contractual agreements?
  • Who needs to be notified, and what channels do you use to communicate the information?
  • What is the time limit for notifications, and are you able to meet this requirement?

Internal priorities

  • What skill sets do your security professionals currently have?
  • Which skills do you need to add most urgently? To uncover gaps, it may be helpful to consider areas such as time to completion on individual tasks and workload balance.

Pictogram showing a compass over a document to outline step two: building a standard, documented incident response plan.

Step 2

Be prepared: Build a standard, documented and repeatable IR plan


  • Do you have a codified IR plan, even if it is less effective than it needs to be at present?
  • Do you lean on informal, ad hoc processes when unforeseen incidents occur?
  • Does your security leadership prioritize incident planning, and do they involve other business units in the development and refinement of these processes?
  • Do you have an established process for reviewing and improving incident playbooks?

Depending on your answers to the questions above, you may benefit from conducting an enterprise-wide workshop to overhaul your incident planning approach and establish the importance of effective IR in the minds of leaders from marketing, HR, legal, IT, customer service and other departments. External third-party entities, like business partners and vendors, can also be a part of the conversation. When all stakeholders truly understand the risks and benefits involved, they’ll be much more likely to contribute in meaningful ways to the building of a standard, documented and repeatable IR plan.

Resources like NIST, SANS and CERT can provide great frameworks for these conversations and plans, but your IR plans will ultimately need to be specific to your organization. A focused workshop can be effective for galvanizing leadership around the IR cause and getting input around their specific areas of expertise.

During an IR planning workshop, teams should work together under the guidance of security leadership to:

  • Walk through specific incident scenarios.
  • Map out specific steps that need to be taken to resolve an incident throughout its lifecycle.
  • Determine roles and responsibilities.
  • Identify the key technologies and channels of communication to be leveraged during a response.
  • Build processes around permissions and escalations.

By the end of these exercises and conversations, your team should have well-considered, repeatable and documented plans that can be centralized, followed by anyone on your team and continually improved over time.


Pictogram showing a line chart and a clock to outline step three: proactive testing and improvement of incident response plans.

Step 3

Keep improving: Proactively test and improve IR processes


Once you have a documented plan, you’ll need to test it. And test it. And test it again. One of the most effective ways to keep IR capabilities driving forward is running simulations in a dedicated, results-driven manner.

Here are some probing questions that will help you create the meaningful simulations that will prime your team’s response to any threat that emerges:

  • Do you want to practice commonly seen incidents, or prepare for something unexpected? Both types are valid to explore.
  • Are your simulations thoughtful and specific? Do they include important details your analysts will need to search for? Do they force your teams to think critically as opposed to ensuring that they can simply check the required boxes?
  • Are your simulations measurable? Do they have specific goals with trackable metrics, such as time to completion and level of completeness?
  • Are you scheduling repeat simulations to measure improvements and regressions?
  • Do your simulations involve participants from all the relevant groups across the enterprise, such as HR, legal and marketing?
  • As you practice, do these departments feel more confident that they have what they need to respond when incidents arise? Are you giving actionable feedback along the way?
  • Do you have a process and an effective avenue for sharing the results of post-simulation analysis across the organization?

Pictogram showing a series of shapes depicting data organized in a circle to outline step four: leveraging data and intelligence into incident repsonse planning.

Step 4

Put data to work: Leverage tools, intelligence and data sources


When a cyberattack is underway, you need the ability to make quick, informed decisions and adapt to ever-changing information. Because incidents rarely emerge fully formed, your IR playbooks must be built to adjust as your investigations uncover more details. The most effective incident response platforms (IRPs) offer a central hub of control that integrates with your existing security technologies, pulls intelligence from the right data sources and automatically adjusts your playbooks as you investigate, isolate and remediate.

As you build your intelligent orchestration capability, look for these key components of your IRP:

  • A central hub to process, track and resolve incidents.
  • Seamless integration with security technologies such as SIEM and EDR.
  • Enrichment of indicators of compromise (IOCs) with threat intelligence.
  • Correlation of suspicious events using artifact visualization.
  • Agile playbooks that update automatically as incident information is uncovered.
  • Integration with ticketing systems and other technologies as needed.

What is intelligent orchestration: ask Ted

Intelligent orchestration – the next generation of incident response – is a powerful security capability that uniquely blends human and machine intelligence with orchestration and automation, dramatically accelerating and sharpening organizations’ response to cyberattacks. IBM Resilient's Ted Julian outlines how intelligent orchestration can help organizations outsmart, outpace, and outmaneuver cyberattacks.


Pictogram showing a magnifying glass with a warning sign in it interconnected with data depicted by blocks to outline step five: streamlining incident response and investigation.

Step 5

Get lean: Streamline incident investigation and response


Unfortunately, some incidents often go undetected for weeks or months, giving cybercriminals an opportunity to establish a stronghold on a compromised network. The longer the infiltrators maintain access, the more difficult it becomes to isolate and remediate the threat.

One reason for this widespread problem is that many organizations rely on ad hoc processes for investigating even the most common cyber incidents like phishing attacks on employees. Because of the skills gap, organizations that actually have the right tools and technology still struggle to manage the volume of incidents, most of which pose low levels of threat.

Automation streamlines menial, repetitive tasks, which takes them off analysts’ plates so that humans can focus on what humans do best: think critically. With these tasks out of the way, your workforce is freed up to make strategic decisions about potentially catastrophic threats based on severity, context and protocol.

To find the right places to begin implementing automated solutions, the following questions are helpful:

  • Which time-consuming, menial and inefficient tasks take up inordinate amounts of analysts’ time?
  • Which tasks can most safely and reliably be automated?
  • In which areas can you script manual actions while still keeping the necessary human decision-making and approval involved?

Once you pinpoint the initial areas where automation will be most impactful, you can use simulations and analysis to test the waters, make adjustments and then finally flip the switch for full automation in key areas.


Pictogram showing people with technology depicted by lines to outline step 6: orchestration of people, process, and technology.

Step 6

Come together: Orchestrate across people, process and technology


If you’ve completed the previous five steps, you now have the basis for an IR strategy that spans the foundational pillars of people, process and technology. To sum up, here are some key questions to help you stay focused and continue improving your ability to respond to incidents effectively across your enterprise.


People

  • Have you ensured your IR team is well-coordinated and well-trained?
  • Do they have the right skills to address all aspects of an incident’s lifecycle?
  • Do they have the means for collaboration and analysis?

Process

  • Do you have well-defined, repeatable and consistent IR plans in place?
  • Are they easy to update and refine?
  • Are you regularly testing and measuring them?

Technology

  • Does your technology provide valuable insight and intelligence in a directed, actionable manner?
  • Does it enable your team to make smart decisions and quickly act on those decisions?

What is your biggest barrier to orchestrating incident response today?

%

responds lack of human resources

%

responds lack of preparation

%

responds insufficient technologies

%

responds lack of leadership

Lack of human resources

Lack of preparation

Insufficient technologies

Lack of leadership

Orchestrated incident response: The solution in action

Case study:

How a pharmaceutical leader’s four global security teams work smarter, not harder

Orchestrated incident response: The solution in action


With the growing number of cyberattacks and increasingly complex IT environments, an intelligent incident response plan is more than just a set of instructions; it’s a dynamic foundation built on the alignment of people, process and technology. The result? Faster, smarter and more comprehensive incident response.



the_challenge

The challenge


The story of one IBM Resilient customer illustrates this point. The customer, a global pharmaceutical organization, faced a unique challenge: its four security teams around the world were managing enterprise-wide incidents with different processes. A new corporate policy was implemented to ensure correct handling of incidents by requiring the teams to be on the same system. Their previous response tool was not flexible enough to orchestrate the four teams and meet this request.

Lack of planning and orchestration led to a failed incident response that drew attention to the teams’ disorganization. Each of the four teams responded to a privacy incident simultaneously, and each team gave different recommendations: restrict permissions so only forensic had access, don’t do anything, pull the site down or delete the files. The responsible party simply followed the first recommendation he received instead of considering each one. This disconnect made everyone else’s job harder and more complicated, and the incident was not resolved efficiently.



the_solution

The solution


To fix the problem, the security team chose the IBM Resilient Incident Response Platform (IRP) to fully orchestrate their response. With 15 to 30 incidents to manage per day day — approximately 5,000 total that year — the four teams were routinely out of sync. The IBM Resilient IRP allowed these security teams to connect the humans in the loop with existing technologies and to create specific playbooks for incidents. Through Resilient, this organization was able to fully orchestrate the response process.



Orchestrated response to 15 - 30 incidents per day 5,000 incidents per year



the_results

The results


Since implementing the IBM Resilient IRP, the customer has not only gained significant efficiencies when responding to incidents, they’ve also mitigated risks associated with manual user error. Resilient helps cut down on spelling mistakes and other important tactical concerns. The platform also gives their management sharper, more immediate visibility into the response process. The customer has also been able to leverage 10 key security tools that integrate with IBM Resilient, which has further streamlined the overall approach to keeping the organization secure in the face of threats.



10 key security tools integrated into the IR platform



All in all, the security team was able to cut a string of processes that once took 85 minutes down to just one or two minutes. Today, with orchestrated incident response, the organization’s security teams continually create synergies from the organization’s collective experience and intelligence.



85-minute response time reduced to 1 - 2 minutes


Intelligent orchestration from IBM Security

Guide your security analysts to a fast, efficient, and accurate response with intelligent orchestration – the next generation of incident response. See how the IBM Resilient Incident Response Platform uniquely provides intelligent orchestration by combining incident response orchestration and automation, AI and human intelligence, and case management.

IBM Security is here to help

IBM Security is here to help


IBM Security helps you build an intelligent incident response plan with a unique combination of products and services:


  • IBM Resilient: The industry’s leading orchestration and automation platform
  • IBM QRadar: Advanced security analytics and Watson AI
  • IBM X-Force® Incident Response and Intelligence Services (IRIS): World-class security expertise

The IBM Security approach also integrates with a wide variety of offerings and platforms as well, so it’s easy to implement into your existing security ecosystem.

security_graphic

Next steps

Next steps

card_1

Orchestrate incident response Solution Brief

Explore IBM Security products and services.

card_2

Start your transformation

Discover how to manage incident response with an orchestrated approach.

card_3

Download the ebook

Save and share this document with colleagues.