Cyberattacks are growing more frequent, sophisticated and damaging, and organizations have invested hundreds of billions of dollars into arming themselves to fight back. This has led to new challenges, since today’s complex security environments and processes — or lack thereof — often hinder timely and effective response to attacks.

Today, the average organization deploys 75 security tools in its network. A 2016 study from the Ponemon Institute found that “complexity of business and IT processes” were two of the top barriers to developing resilience to cyberattacks. With skilled security personnel in limited supply, organizations cannot afford to limit the effectiveness of their existing team.


We have seen the impact of these challenges with many recent high-profile data breaches. The initial attack is almost always detected by one or more of the dozens of security products deployed. In most cases, however, there are no mechanisms for prioritizing, channeling and triaging alerts, opening an incident response (IR) playbook and addressing the issue in near real time. Attack detection is not always the only challenge — taking action and closing the loop is where we fail more often.

This is why IBM Security recently introduced the next generation of incident response, Intelligent Orchestration, with the latest IBM Resilient Security Orchestration, Automation, and Response (SOAR) Platform.

Simplifying the Complex With Intelligent Orchestration

Intelligent Orchestration takes a complex and disparate environment of products and processes and weaves them together into a robust system that guides analysts to a fast and effective resolution. It works by combing human expertise with machine-based intelligence. The insight of internal experts, such as veteran analysts and privacy, HR and legal professionals, is captured and codified into IR playbooks, and security technologies provide analysts with the incident context needed to understand the threat and resolve it. By aligning human and machine intelligence, security analysts can get the right information exactly when they need it.

For example, when a security solution, such as a security information and event management (SIEM) or endpoint detection and response (EDR) tool, detects suspicious activity, the alert and relevant artifacts are escalated into the IR platform, which opens a playbook for that specific incident type. The playbook prescribes the exact steps analysts should follow to investigate and resolve the incident.

More importantly, many of these steps, such as threat intelligence lookups, SIEM queries and active directory checks, can be fully automated so that the analyst has more incident context on hand at the onset of the investigation. If the analyst needs to perform other tasks, such as obtaining a forensics image or directing the IT team to reimage a machine via a help desk ticket, orchestration enables him or her to do so with the click of a button.

Without these capabilities, responding to an incident could consume several hours or, worse, several days. But Intelligent Orchestration guides analysts through the process step by step, provides intelligence and streamlines their actions through automation and orchestration, often reducing response times to mere minutes. In fact, some IBM Resilient customers have reported reductions in mean time to resolution of more than 99 percent.

The core value of Intelligent Orchestration is its simplicity and flexibility. Our customers have told us for quite some time that they desire a single platform that provides full visibility across all their systems. They have long sought to automate or streamline workflows, but they had to rely on disparate or open source tools that demand high degrees of investment in custom scripting and integration. This results in complicated, rigid solutions that require constant management and don’t easily adapt to changing conditions. Intelligent Orchestration solves these challenges through its powerful enterprise-class integrations and ease of use. Within minutes, a security team can download an integration and create or customize a playbook with a visual drag-and-drop editor and start to close the gap between detection and response.

Combining Human and Artificial Intelligence

Intelligent Orchestration is built on an open framework. It allows organizations to integrate with a growing number of vendors across the industry and with custom-built tools. It incorporates their existing security investments — SIEM, EDR, threat intelligence, forensics, Lightweight Directory Access Protocol (LDAP), ticketing and much more — into the IR process. In addition to delivering intelligence to analysts, it also increases the analysts’ visibility into these tools and their overall return on investment (ROI).

What’s most exciting, however, is that Intelligent Orchestration is built to integrate with artificial intelligence (AI) in the near future. IBM Security has made deep investments in AI with Watson for Cyber Security, which reinforces analysts’ capabilities by providing massive amounts of contextual security intelligence. By integrating Watson for Cyber Security into Intelligent Orchestration, analysts will have a digital assistant that can instantly provide deep incident insight and context, helping them understand incidents faster than ever before and saving valuable time. It will also be able to provide feedback on IR processes, playbooks and automations, enabling teams to continuously fine-tune their IR function and security operations.

Today, Intelligent Orchestration integrates and maximizes the impact of the human and technological intelligence that exists within organizations. AI will increase this impact to a completely new level.

I look forward to learning from your experiences with orchestration and understanding how Intelligent Orchestration can move the needle for your IR teams, help reduce the gap between detection and response, and integrate with your current investments in security.


More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…