May 1, 2018 By Vinay Anand 4 min read

Cyberattacks are growing more frequent, sophisticated and damaging, and organizations have invested hundreds of billions of dollars into arming themselves to fight back. This has led to new challenges, since today’s complex security environments and processes — or lack thereof — often hinder timely and effective response to attacks.

Today, the average organization deploys 75 security tools in its network. A 2016 study from the Ponemon Institute found that “complexity of business and IT processes” were two of the top barriers to developing resilience to cyberattacks. With skilled security personnel in limited supply, organizations cannot afford to limit the effectiveness of their existing team.


We have seen the impact of these challenges with many recent high-profile data breaches. The initial attack is almost always detected by one or more of the dozens of security products deployed. In most cases, however, there are no mechanisms for prioritizing, channeling and triaging alerts, opening an incident response (IR) playbook and addressing the issue in near real time. Attack detection is not always the only challenge — taking action and closing the loop is where we fail more often.

This is why IBM Security recently introduced the next generation of incident response, Intelligent Orchestration, with the latest IBM Resilient Security Orchestration, Automation, and Response (SOAR) Platform.

Simplifying the Complex With Intelligent Orchestration

Intelligent Orchestration takes a complex and disparate environment of products and processes and weaves them together into a robust system that guides analysts to a fast and effective resolution. It works by combing human expertise with machine-based intelligence. The insight of internal experts, such as veteran analysts and privacy, HR and legal professionals, is captured and codified into IR playbooks, and security technologies provide analysts with the incident context needed to understand the threat and resolve it. By aligning human and machine intelligence, security analysts can get the right information exactly when they need it.

For example, when a security solution, such as a security information and event management (SIEM) or endpoint detection and response (EDR) tool, detects suspicious activity, the alert and relevant artifacts are escalated into the IR platform, which opens a playbook for that specific incident type. The playbook prescribes the exact steps analysts should follow to investigate and resolve the incident.

More importantly, many of these steps, such as threat intelligence lookups, SIEM queries and active directory checks, can be fully automated so that the analyst has more incident context on hand at the onset of the investigation. If the analyst needs to perform other tasks, such as obtaining a forensics image or directing the IT team to reimage a machine via a help desk ticket, orchestration enables him or her to do so with the click of a button.

Without these capabilities, responding to an incident could consume several hours or, worse, several days. But Intelligent Orchestration guides analysts through the process step by step, provides intelligence and streamlines their actions through automation and orchestration, often reducing response times to mere minutes. In fact, some IBM Resilient customers have reported reductions in mean time to resolution of more than 99 percent.

The core value of Intelligent Orchestration is its simplicity and flexibility. Our customers have told us for quite some time that they desire a single platform that provides full visibility across all their systems. They have long sought to automate or streamline workflows, but they had to rely on disparate or open source tools that demand high degrees of investment in custom scripting and integration. This results in complicated, rigid solutions that require constant management and don’t easily adapt to changing conditions. Intelligent Orchestration solves these challenges through its powerful enterprise-class integrations and ease of use. Within minutes, a security team can download an integration and create or customize a playbook with a visual drag-and-drop editor and start to close the gap between detection and response.

Combining Human and Artificial Intelligence

Intelligent Orchestration is built on an open framework. It allows organizations to integrate with a growing number of vendors across the industry and with custom-built tools. It incorporates their existing security investments — SIEM, EDR, threat intelligence, forensics, Lightweight Directory Access Protocol (LDAP), ticketing and much more — into the IR process. In addition to delivering intelligence to analysts, it also increases the analysts’ visibility into these tools and their overall return on investment (ROI).

What’s most exciting, however, is that Intelligent Orchestration is built to integrate with artificial intelligence (AI) in the near future. IBM Security has made deep investments in AI with Watson for Cyber Security, which reinforces analysts’ capabilities by providing massive amounts of contextual security intelligence. By integrating Watson for Cyber Security into Intelligent Orchestration, analysts will have a digital assistant that can instantly provide deep incident insight and context, helping them understand incidents faster than ever before and saving valuable time. It will also be able to provide feedback on IR processes, playbooks and automations, enabling teams to continuously fine-tune their IR function and security operations.

Today, Intelligent Orchestration integrates and maximizes the impact of the human and technological intelligence that exists within organizations. AI will increase this impact to a completely new level.

I look forward to learning from your experiences with orchestration and understanding how Intelligent Orchestration can move the needle for your IR teams, help reduce the gap between detection and response, and integrate with your current investments in security.


More from Incident Response

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today