3 Keys to Building a Scalable Incident Response Automation and Orchestration Plan

December 14, 2018
| |
3 min read

Incident response (IR) automation and orchestration is crucial to operationalizing cybersecurity, giving overburdened security professionals relief by streamlining processes, maximizing the efficiency of their resources and increasing their organization’s overall security posture. As the volume of security alerts skyrockets and the skills gap widens, security teams are rapidly implementing IR automation and orchestration technologies to keep up: Nearly 85 percent of businesses have adopted or are currently adopting these solutions, according to Enterprise Strategy Group.

Craft a Robust Incident Response Plan That Works for You

Despite this growth, successfully implementing automation and orchestration isn’t as simple as deploying technology. Security teams need to start with a robust IR plan; if you’re going to streamline processes, you first need to define what those processes are.

The playbook — the exact tasks and actions your organization will take in response to various incident types — is the heart of the IR plan. Whether your organization is building an IR program from scratch or implementing advanced orchestration tools, your documented IR processes are the foundation. And with a few key considerations, your team can build IR playbooks that continue to pay dividends long into the future.

Here are three keys to building a robust, consistent incident response plan:

1. Build Your Initial Playbook Around Manual Actions

A good incident response playbook should be functional regardless of the efficiency afforded by external technologies. Focus on capturing and documenting the full extent of tasks analysts may need to perform during the IR process, and plan for future orchestration and automation that will aid and assist human analysts’ decisions and actions during an incident.

While creating these manual tasks, make them action-oriented and include a measured purpose and outcome for each. Give the analyst the “why” when you can, and make the task instructions as descriptive and detailed as possible. Doing so will allow for easy verification and validation and enable processes to be transferable up and down the team. You’ll also end up creating training opportunities and allowing for smooth internal and external audits.

2. Enable Continual Process Assessment and Refinement

Incident response is a process of continual improvement, and IR playbooks should enable maintenance and growth — such as the replacement or removal of certain tasks based on learnings from simulations and real-world experience.

Consider how your playbooks are stored, referenced and maintained. No matter the format — paper, electronic, tribal knowledge — updating and disseminating IR playbooks can be challenging. A centralized and secured platform, such as an internal wiki or document share, can enable better collaborative management, whereas an IR platform enables seamless collaboration before, during and after an incident.

A feedback loop, also known as a post-incident analysis process or an after-action review (AAR), is critical to the success and continual improvement of the organization’s response time and operational effectiveness. Additionally, to orchestrate and automate certain user tasks and actions to streamline response, you’ll need tried-and-true metrics to understand which of those processes should be automated and the ability to measure the impact and return on investment (ROI) of that automation. We’ll outline examples of these metrics in a future blog post.

3. Design Your Playbooks to Be Iterative and Scalable

As your incident response program grows, you’ll want the ability to quickly develop new playbooks for additional incident types or scenarios to both account for changes in the threat landscape and to change the scope of existing playbooks.

Try to identify common processes and tasks to group into modules and share across your playbooks, allowing for greater flexibility of their application and maintenance. Of course, where applicable, create and maintain the very specific and detailed work effort related to a discrete process. As there are changes in technologies, skills, requirements and resources, you can quickly adapt your now modular processes to account for them without the need to make finite edits to multiples of unrelated and potentially duplicate tasks.

Reuse these common tasks and modular processes to avoid the cumbersome and inefficient effort of developing new playbooks from scratch.

Build Today for Future Success

A robust, documented incident response plan is the foundation of a successful automation and orchestration program. By focusing on the right details today and enabling agility and growth, your solid and scalable IR playbooks will deliver benefits for years.

Six Steps for Building a Robust Incident Response Function

Brenden Glynn
Incident Response Business Consultant, IBM Resilient

Brenden Glynn is a cybersecurity incident response expert. As an Incident Response Business Consultant at IBM Resilient, he provides hands-on incident respon...
read more