What Is Incident Response Orchestration?

What is incident response (IR) orchestration? IR orchestration is an approach to cybersecurity response that aligns the people, processes and technology involved in responding to and mitigating cybersecurity attacks. The goal is to empower response teams by ensuring they know exactly what to do when a security incident strikes — and have the processes and tools they need to act quickly, effectively and correctly.

Incident Response Orchestration vs. Automation

Automation is another rising IR trend, but orchestration is different in that it supports and optimizes the human in the cybersecurity loop. It helps this person understand the context and make decisions, which empowers them as a central part of security operations.

This distinction is critical because security threats are uncertain problems. Responding to a threat is hardly ever a cut-and-dry issue. Automation is an excellent tool for quickly and effectively executing specific tasks. But since threats are often evolving — and adversaries frequently change tactics — human decision-making is needed to step in for things like escalating issues or troubleshooting.

While automation is an effective tool in the broader orchestration process, it’s the human element that makes orchestration a game-changer.

See Orchestration in Action

Orchestration applies differently to every organization. It should map to your unique threat landscape, IT and security environments and company priorities.

Here’s a classic case study of how we see orchestration employed:

Incident Response Orchestration

In this example, you can see how orchestration plays an important role across the entire security operations center (SOC) — from escalation and incident enrichment to remediation. As an incident is escalated from a security information and event management (SIEM) alert, you can see in the top left that a record is automatically created in the organization’s IR platform. From there, in the bottom right, the platform automatically gathers and delivers valuable incident context from the built-in threat intelligence feeds and additional sources.

From here, the security analysts already have critical information when they step in and take control. These analysts can leverage additional integrations to manually take on additional tasks deemed necessary. These tasks include gathering additional information about an incident from other security tools (such as endpoint security tools or web gateways), starting the remediation process by alerting the IT help desk or going to the identity management to pull users off the network.

There are many different ways to orchestrate IR processes, but the goal is always the same: Put your analysts in the best position to respond to threats.

To learn more about how IR orchestration can help your organization respond to threats, sign up for a demonstration of the IBM Resilient Incident Response Platform today.

Allen Rogers

Executive Software Development Management, IBM Security