Security incident response (IR) can make or break an organization. Despite the importance of a robust and responsive IR plan, a recent Enterprise Strategy Group (ESG) survey found that 98 percent of IT security professionals consider incident response to be a “challenge,” while 71 percent think it has become more difficult over the past two years.

Even the federal government is looking for help drafting its response strategy. As noted by CSO Online, the Department of Homeland Security (DHS) recently released the first draft of its National Cyber Incident Response Plan (NCIRP) and is soliciting feedback. With IT departments already stretched thin and new security professionals difficult to find, many companies are looking for ways to streamline incident response by leveraging both orchestration and automation tools. Is this the future of agile IR?

Shifting Priorities

According to the ESG survey, companies are struggling with security incident response. So what’s the trouble?

Help Net Security noted that 91 percent of IT pros point to the time and effort required to conduct manual security processes, which, in turn, limit the efficiency and effectiveness of IR strategies. The same percentage of respondents also indicated a desire to increase staff numbers, but the emerging security skills gap makes this a challenge.

Companies have doubled down on automation and orchestration as a way to help take the burden off existing IT professionals and improve the IR process. According to the ESG study, 62 percent of organizations have already taken action to implement automation and orchestration into processes, while 23 percent are currently engaged in such a project and 12 percent plan to implement one in the next 18 months. Just 3 percent described orchestration and automation as future concerns.

The New Security Incident Response

So what does an automated, orchestrated IR plan look like? It starts with intelligent tools able to identify, investigate and classify alerts. As noted by Dark Reading, it’s simply impossible for IT pros to investigate tens of thousands of security alerts every month. Instead, automated solutions that can parse the noise and deliver actionable security signals go a long way toward improving IR.

There’s also a need for better integration with SIEM tools, which can help companies develop actionable — and, more importantly, testable — response plans that can adapt to meet changing needs.

This ties into the need for better orchestration, since meeting response challenges demands more than a general outline of what needs to happen if critical systems go down or key endpoints are compromised. Orchestration helps to create a kind of IR synchronicity, where each section of the response team has a clearly defined set of goals and outcomes.

As a result, instead of sound and fury when an incident occurs, companies can move smoothly through established procedures to deal with the most immediate threats and then transition to more long-term remediation.

An Outside Link

It’s also worth considering the value of a third-party provider to help orchestrate security incident response. With many companies now lacking critical security skills, it’s possible to tap specific security services on demand, allowing local IT to focus on physical hardware or other critical systems on-site. Third parties also provide the benefit of an outside link — all you need is a reliable connection for off-site partners to do their work, even if local stacks fail.

Companies are struggling with incident response. It’s no surprise — with alerts on the rise, security professionals in short supply and manual processes taking up too much time, IR plans are often more hopeful than helpful. By implementing automated and orchestrated solutions, however, it’s possible to get IR back on track and significantly improve both response and recovery times.