March 24, 2017 By Allen Rogers 2 min read

What is incident response (IR) orchestration? IR orchestration is an approach to cybersecurity response that aligns the people, processes and technology involved in responding to and mitigating cybersecurity attacks. The goal is to empower response teams by ensuring they know exactly what to do when a security incident strikes — and have the processes and tools they need to act quickly, effectively and correctly.

Incident Response Orchestration vs. Automation

Automation is another rising IR trend, but orchestration is different in that it supports and optimizes the human in the cybersecurity loop. It helps this person understand the context and make decisions, which empowers them as a central part of security operations.

This distinction is critical because security threats are uncertain problems. Responding to a threat is hardly ever a cut-and-dry issue. Automation is an excellent tool for quickly and effectively executing specific tasks. But since threats are often evolving — and adversaries frequently change tactics — human decision-making is needed to step in for things like escalating issues or troubleshooting.

While automation is an effective tool in the broader orchestration process, it’s the human element that makes orchestration a game-changer.

See Orchestration in Action

Orchestration applies differently to every organization. It should map to your unique threat landscape, IT and security environments and company priorities.

Here’s a classic case study of how we see orchestration employed:

In this example, you can see how orchestration plays an important role across the entire security operations center (SOC) — from escalation and incident enrichment to remediation. As an incident is escalated from a security information and event management (SIEM) alert, you can see in the top left that a record is automatically created in the organization’s IR platform. From there, in the bottom right, the platform automatically gathers and delivers valuable incident context from the built-in threat intelligence feeds and additional sources.

From here, the security analysts already have critical information when they step in and take control. These analysts can leverage additional integrations to manually take on additional tasks deemed necessary. These tasks include gathering additional information about an incident from other security tools (such as endpoint security tools or web gateways), starting the remediation process by alerting the IT help desk or going to the identity management to pull users off the network.

There are many different ways to orchestrate IR processes, but the goal is always the same: Put your analysts in the best position to respond to threats.

To learn more about how IR orchestration can help your organization respond to threats, sign up for a demonstration of the IBM Resilient Security Orchestration, Automation, and Response (SOAR) Platform today.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today