Building Your Incident Response Platform Hub

August 22, 2016
| |
2 min read

Having an incident response (IR) team in place is essential in today’s cyberthreat landscape. Data from a 2017 Ponemon Institute and IBM Security study showed that IR teams are the best weapon for mitigating the rising costs of cyberattacks, as teams reduced costs $16 per record in the event of a breach.

Your IR team, however, is just one piece of the puzzle. An incident response platform (IRP) can transform your security posture. But to build a central hub for response team, you need integrated technologies to escalate, enrich and ultimately remediate cybersecurity incidents.

As a security leader, you must put your team in the best position to succeed. This means providing them the tools and technologies they need to do their job as quickly, accurately and effectively as possible.

How to Build a Hub for Your Incident Response Platform

Some of the most sophisticated response teams in the world integrate more than 30 security solutions on average with their IRP. Explore the tools these teams most commonly enlist for IR in their security operations centers (SOCs):

1. Escalation

A security information and event management (SIEM) solution is the most common complement to an IRP. A SIEM and IRP integration is a powerful component of any security program. By making security alerts actionable and providing critical incident context, a SIEM and IRP connection bridges the gap between detection and response. It also helps minimize time to resolution.

Ticketing systems, while not sufficient for managing IR processes, can still play a key role in IR. Many teams rely on ticketing systems to surface potential incidents into their IRP — or to enlist the assistance of the IT organization. And by integrating a ticketing system with an IRP, all stakeholders can be kept in the loop as tickets are updated and closed as IR tasks are completed.

2. Enrichment

Security teams have a wealth of security data at their fingertips, but often struggle to separate noise from signals. Integrating data sources with an IRP dramatically accelerates the IR process and makes it easier to pinpoint meaningful insight.

Many teams turn to threat intel feeds to add context to incidents, including built-in feeds like IBM X-Force, Symantec Deep Sight and Recorded Future. Depending on the incident you’re dealing with, many other tools — such as firewalls, directories and vulnerability management solutions — can tell you more about the scope of the incident.

By integrating these data-generating tools with an IRP, you can begin to orchestrate and automate enrichment processes, reducing investigation time and enabling a rapid, decisive response.

3. Remediation

In addition to escalating incidents, a ticketing system can also help close them out by directing the IT team to take remedial steps, such as disabling compromised accounts or quarantining and reimaging infected machines. Depending on your organization’s infrastructure, other tools like case management, forensics or directory management solutions can help enlist the IT team in shutting down cyber threats quickly and effectively.

Read the white paper: Six Steps for Building a Robust Incident Response Function

Allen Rogers
Executive Software Development Management, IBM Security
Allen Rogers is a contributor for SecurityIntelligence.