Implementing Incident Response Automation, the Right Way

Many cyber incidents take place every day and only those reported manage to make the headlines. While events like security breaches and outages debilitate employee productivity and develop negative perceptions among the customers, these attacks also impact the growth of the organizations due to financial and reputational loss of the business. Organizations must find improved strategies to combat the growing sophisticated threats. The security teams at bigger organizations are often overburdened to be bothered with strategizing the safety of large attack surfaces which include security of applications, cloud data, and mobile endpoints. In the presence of so many existing security measures, the need to introduce further new security strategies has less scope. In fact, we must ensure the execution of available strategies the utmost best way. 

Another challenge the organizations face is recovery of business after the attack. Having an incident response (IR) plan is an effective concern for any organization. IR comprises processes involved with respect to investigation, containment, and recovery from a cyberattack and preparing the system from further advanced attacks and persistent threats. Security incidents occur without any prior notice, and therefore, a well-structured IR plan helps to triage the incident with high efficiency. When security teams are distracted with more alerts before they prioritize their time to investigate, they often cannot respond in the absence of an effective IR plan. Only when security tools are standardized, centralized, and automated into a planned strategical approach can analysts respond to the incidents quickly and effectively. 

Introducing automation in an organization to tackle security incidents when they arise would be of great help to achieve faster restoration of services and surprisingly reduced human errors. This is because automation shrinks the time spent on containment and reduces further damages that might occur because of human negligence. Automation that requires planning with the occurrence of activities must be defined in accordance to their impact on business, both before and after the containment. 

Here are five ways to introduce automation in the right way: 

  1. Automate Filter Notifications

Irrelevant information and notifications from around the organization that does not apply to the team should not be forwarded to them. Applying filters helps separate such notifications from the haystack of routine noise and empower them to be truly actionable. Rather than overloading information and burdening the team, the alert fatigue can be sorted. To automate the filter in the notification process, a solution should be integrated on service desk, collaborative apps, chat tools, and so on so that contextual information can be shared immediately. 

  1. Define the IR Automation Process

While working on a major IR process, the initial step is to establish coordination and execute the strategy, while the planning about the flow of processes should already be defined in the IR procedure. Identify a key-support team to begin the execution of IR plan immediately. It also involves delegating responsibilities based on the team members competence so that they can resolve the assigned issues, the right way, and looping the stakeholders for regular updates. While automation is critical when the delegation of work based on human factor is concerned, inclusion of information from the monitoring tools to the team members can be automated. The information flow to the incident resolvers should be routed via the service desk. A document defining comprehensive truth can also be prepared and kept for everyone’s access. 

  1. Be Aware of the Time Taken to Contain a Breach

What is the containment time, how is it measured? Is it based on the total time that the team is engaged or the time when the business is really impacted? If you think that the containment time is the team engaging time, then think again. For an IR manager, the goal is to minimize the impact and not simply impress the management with convincing reports. The containment time must be based on the actions taken by incident responders to place the threat in a state of containment. The containment time can be automated by providing complete visibility into the applications with a clock dated back to the incident. At the same time, it is advised to preserve an in-depth record of your resolution activities and communications which can be used for audit purpose at a later stage. 

  1. Updating Stakeholders

How the IR plan is executed, how successful it is, the challenges IR is facing, and preventive measures are a couple of updates that the stakeholders will be expecting during the IR process. This doesn’t mean that they want a prioritized sharing of updates over the IR process, but it is important that the incident handlers send a summary on the service even when everything is fixed. While the communication task can be assigned to a desk whose responsibility is to monitor and share the updates, the best practice would be to automate the communication channel by creating a self-webpage with status updates. Even building slash commands in the chat tool to update the page can help with faster communication and zero disturbance. 

  1. Automate Record Keeping

IR does not end with the restoration of services; in fact, there are many critical activities that are to be performed after restoration. Creating a diagnostic report and analyzing the root cause, to audit a major incident along with the preventive measures to avoid future incidents, are to be drafted after restoration of services. Even if the similar incident reoccurs, a predefined procedure to understand what data are needed, and the steps involved in resolution can be implemented immediately. A handy checklist will help the team to focus on the containment process rather than worrying on the basic requirements. Automation can preserve resolution activities and can capture chat transcripts of incident handling process for analysis. Similarly, a catalog can be prepared of familiar incidents with best practices recorded to help speed up the IR process in the future. 

Security Orchestration and Automation Response 

Security orchestration is often used interchangeably with IR automation. But it is completely a different subject and is a subsidiary to automation. Gartner introduced the term Security Orchestration and Automation Response (SOAR) in 2017 to compliment the other emerging platforms that assist IR [1]. SOAR stands for streamlining people, processes, and technology in a way that it shall strengthen the information security of an organization. Security orchestration empowers the IR automation by interweaving security practices, connecting security tools, and balancing the human intervention with machine automation. It enables the security professionals to execute the security operations and IR effectively and efficiently. 

Conclusion—Automate Smarter 

More automation is not the objective of IR and it shouldn’t be. When automating the IR process, it is crucial to understand when, where, and how to connect the devices to further simplify the process. Adding unnecessary complexity will demand more efforts and time, thus delaying the containment process. The IR process should simplify operations so that the issues can be fixed efficiently. The automation should be aimed at minimizing the overall impact on the business and not to simply contribute toward automation. 

Do you want to play the role of incident handler and make a significant contribution to the IR handling process of an organization? If this excites you, then checkout EC-Council’s program, E|CIH. 

EC-Council Certified Incident Handler is a credential that concentrates on handling and responding to major critical threats of an information system. The program has been recently upgraded with latest incident handling tools and procedures to enable to the students to keep pace with the industry. For more details about the E|CIH, visit our webpage: https://www.eccouncil.org/programs/ec-council-certified-incident-handler-ecih/ 


  1. https://www.securityweek.com/evolution-soar-platforms
Editor's Note:
Reviewed by Don Cox, Chief Information Security Officer at MEDNAX and DaMon Ross, SVP, Head of Cybersecurity at SunTrust
get certified from ec-council
Write for Us