December 14, 2018 By Brenden Glynn 3 min read

Incident response (IR) automation and orchestration is crucial to operationalizing cybersecurity, giving overburdened security professionals relief by streamlining processes, maximizing the efficiency of their resources and increasing their organization’s overall security posture. As the volume of security alerts skyrockets and the skills gap widens, security teams are rapidly implementing IR automation and orchestration technologies to keep up: Nearly 85 percent of businesses have adopted or are currently adopting these solutions, according to Enterprise Strategy Group.

Craft a Robust Incident Response Plan That Works for You

Despite this growth, successfully implementing automation and orchestration isn’t as simple as deploying technology. Security teams need to start with a robust IR plan; if you’re going to streamline processes, you first need to define what those processes are.

The playbook — the exact tasks and actions your organization will take in response to various incident types — is the heart of the IR plan. Whether your organization is building an IR program from scratch or implementing advanced orchestration tools, your documented IR processes are the foundation. And with a few key considerations, your team can build IR playbooks that continue to pay dividends long into the future.

Here are three keys to building a robust, consistent incident response plan:

1. Build Your Initial Playbook Around Manual Actions

A good incident response playbook should be functional regardless of the efficiency afforded by external technologies. Focus on capturing and documenting the full extent of tasks analysts may need to perform during the IR process, and plan for future orchestration and automation that will aid and assist human analysts’ decisions and actions during an incident.

While creating these manual tasks, make them action-oriented and include a measured purpose and outcome for each. Give the analyst the “why” when you can, and make the task instructions as descriptive and detailed as possible. Doing so will allow for easy verification and validation and enable processes to be transferable up and down the team. You’ll also end up creating training opportunities and allowing for smooth internal and external audits.

2. Enable Continual Process Assessment and Refinement

Incident response is a process of continual improvement, and IR playbooks should enable maintenance and growth — such as the replacement or removal of certain tasks based on learnings from simulations and real-world experience.

Consider how your playbooks are stored, referenced and maintained. No matter the format — paper, electronic, tribal knowledge — updating and disseminating IR playbooks can be challenging. A centralized and secured platform, such as an internal wiki or document share, can enable better collaborative management, whereas an IR platform enables seamless collaboration before, during and after an incident.

A feedback loop, also known as a post-incident analysis process or an after-action review (AAR), is critical to the success and continual improvement of the organization’s response time and operational effectiveness. Additionally, to orchestrate and automate certain user tasks and actions to streamline response, you’ll need tried-and-true metrics to understand which of those processes should be automated and the ability to measure the impact and return on investment (ROI) of that automation. We’ll outline examples of these metrics in a future blog post.

3. Design Your Playbooks to Be Iterative and Scalable

As your incident response program grows, you’ll want the ability to quickly develop new playbooks for additional incident types or scenarios to both account for changes in the threat landscape and to change the scope of existing playbooks.

Try to identify common processes and tasks to group into modules and share across your playbooks, allowing for greater flexibility of their application and maintenance. Of course, where applicable, create and maintain the very specific and detailed work effort related to a discrete process. As there are changes in technologies, skills, requirements and resources, you can quickly adapt your now modular processes to account for them without the need to make finite edits to multiples of unrelated and potentially duplicate tasks.

Reuse these common tasks and modular processes to avoid the cumbersome and inefficient effort of developing new playbooks from scratch.

Build Today for Future Success

A robust, documented incident response plan is the foundation of a successful automation and orchestration program. By focusing on the right details today and enabling agility and growth, your solid and scalable IR playbooks will deliver benefits for years.

Six Steps for Building a Robust Incident Response Function

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today