May 1, 2018 By Vinay Anand 4 min read

Cyberattacks are growing more frequent, sophisticated and damaging, and organizations have invested hundreds of billions of dollars into arming themselves to fight back. This has led to new challenges, since today’s complex security environments and processes — or lack thereof — often hinder timely and effective response to attacks.

Today, the average organization deploys 75 security tools in its network. A 2016 study from the Ponemon Institute found that “complexity of business and IT processes” were two of the top barriers to developing resilience to cyberattacks. With skilled security personnel in limited supply, organizations cannot afford to limit the effectiveness of their existing team.

READ THE WHITE PAPER: BATTLING COMPLEX CYBERATTACKS WITH THE NEXT GENERATION OF INCIDENT RESPONSE AND SECURITY OPERATIONS

We have seen the impact of these challenges with many recent high-profile data breaches. The initial attack is almost always detected by one or more of the dozens of security products deployed. In most cases, however, there are no mechanisms for prioritizing, channeling and triaging alerts, opening an incident response (IR) playbook and addressing the issue in near real time. Attack detection is not always the only challenge — taking action and closing the loop is where we fail more often.

This is why IBM Security recently introduced the next generation of incident response, Intelligent Orchestration, with the latest IBM Resilient Security Orchestration, Automation, and Response (SOAR) Platform.

Simplifying the Complex With Intelligent Orchestration

Intelligent Orchestration takes a complex and disparate environment of products and processes and weaves them together into a robust system that guides analysts to a fast and effective resolution. It works by combing human expertise with machine-based intelligence. The insight of internal experts, such as veteran analysts and privacy, HR and legal professionals, is captured and codified into IR playbooks, and security technologies provide analysts with the incident context needed to understand the threat and resolve it. By aligning human and machine intelligence, security analysts can get the right information exactly when they need it.

For example, when a security solution, such as a security information and event management (SIEM) or endpoint detection and response (EDR) tool, detects suspicious activity, the alert and relevant artifacts are escalated into the IR platform, which opens a playbook for that specific incident type. The playbook prescribes the exact steps analysts should follow to investigate and resolve the incident.

More importantly, many of these steps, such as threat intelligence lookups, SIEM queries and active directory checks, can be fully automated so that the analyst has more incident context on hand at the onset of the investigation. If the analyst needs to perform other tasks, such as obtaining a forensics image or directing the IT team to reimage a machine via a help desk ticket, orchestration enables him or her to do so with the click of a button.

Without these capabilities, responding to an incident could consume several hours or, worse, several days. But Intelligent Orchestration guides analysts through the process step by step, provides intelligence and streamlines their actions through automation and orchestration, often reducing response times to mere minutes. In fact, some IBM Resilient customers have reported reductions in mean time to resolution of more than 99 percent.

The core value of Intelligent Orchestration is its simplicity and flexibility. Our customers have told us for quite some time that they desire a single platform that provides full visibility across all their systems. They have long sought to automate or streamline workflows, but they had to rely on disparate or open source tools that demand high degrees of investment in custom scripting and integration. This results in complicated, rigid solutions that require constant management and don’t easily adapt to changing conditions. Intelligent Orchestration solves these challenges through its powerful enterprise-class integrations and ease of use. Within minutes, a security team can download an integration and create or customize a playbook with a visual drag-and-drop editor and start to close the gap between detection and response.

Combining Human and Artificial Intelligence

Intelligent Orchestration is built on an open framework. It allows organizations to integrate with a growing number of vendors across the industry and with custom-built tools. It incorporates their existing security investments — SIEM, EDR, threat intelligence, forensics, Lightweight Directory Access Protocol (LDAP), ticketing and much more — into the IR process. In addition to delivering intelligence to analysts, it also increases the analysts’ visibility into these tools and their overall return on investment (ROI).

What’s most exciting, however, is that Intelligent Orchestration is built to integrate with artificial intelligence (AI) in the near future. IBM Security has made deep investments in AI with Watson for Cyber Security, which reinforces analysts’ capabilities by providing massive amounts of contextual security intelligence. By integrating Watson for Cyber Security into Intelligent Orchestration, analysts will have a digital assistant that can instantly provide deep incident insight and context, helping them understand incidents faster than ever before and saving valuable time. It will also be able to provide feedback on IR processes, playbooks and automations, enabling teams to continuously fine-tune their IR function and security operations.

Today, Intelligent Orchestration integrates and maximizes the impact of the human and technological intelligence that exists within organizations. AI will increase this impact to a completely new level.

I look forward to learning from your experiences with orchestration and understanding how Intelligent Orchestration can move the needle for your IR teams, help reduce the gap between detection and response, and integrate with your current investments in security.

READ THE WHITE PAPER: BATTLING COMPLEX CYBERATTACKS WITH THE NEXT GENERATION OF INCIDENT RESPONSE AND SECURITY OPERATIONS

More from Incident Response

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

PR vs cybersecurity teams: Handling disagreements in a crisis

4 min read - Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do. When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication. Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today