One of the underappreciated aspects of incident response (IR) is that it often starts as a data problem. In many cases, IR teams are presented with an effect such as malware or adversary activity and charged with determining the cause through the identification of evidence that ties the cause and effect together within an environment that they have no visibility or context. This situation creates the “IR data problem” wherein responders must first collect and curate large amounts of data before they are able to provide impactful results that can aid in containment and eradication of the incident.

Endpoint detection and response (EDR) technology is often used during incident response engagements and the EDR market has made incredible advances in detection technology however EDR solutions are only good from the moment they are installed on a system going forward. Unless the EDR technology was installed throughout the entire incident and it retains all of the telemetry gathered throughout the entire attack lifecycle, responders are still faced with a giant data problem.

Historically, IR teams solved the data problem by deploying custom tools or scripts to all systems within the enterprise and pulling the results back to a separate platform. While classic data collection mechanisms can be effective at building the narrative of an incident through the identification of evidence, it does introduce additional workstreams that draw resources away from analysis.

True incident response technology needs to understand the fundamental flows of modern incident response to add tactical automation to solve the IR data problem. Tactical automation understands that the responder is the most crucial component of effective incident response and adds automation to the right places to enhance rather than replace the responder.

More on Incident Response

Built by Responders, for Responders

Approaching a solution for the data problem of IR requires designing a platform that is built from the  IR practitioner’s point of view. By approaching the problem from the responder’s point of view, an opportunity arises to create a unique rubric for measuring improvements in incident response by identifying high-impact opportunities within the IR lifecycle.

Time to contain and time to remediate have historically been a key performance metric used to evaluate incident response however from a responder’s point of view measuring speed is more nuanced. While time and speed are obviously important to IR, measuring impact in terms of time appears to be a more appropriate metric to measure improvements and success of incident response. If a response is able to decrease the overall impact to an organization by shortening the time to gathering impactful findings, the time to contain and time to remediate metrics will naturally improve. Furthermore, tactical automation could shorten the time to impactful findings by reducing the amount of time spent by responders collecting and processing data and increase the amount of time responders are analyzing data.

With these incident response metrics in mind, a true incident response platform can be characterized by:

  • Automate initial collection/investigation analysis to drive response actions immediately
  • Flexible and parallelized processes that allow human investigators to maximize the use of their time

In practice, the IR platform enables responders to push the value of the IR service to a more immediate and impactful part of the IR lifecycle.

Cybersecurity has become a massive industry however continued investment solely in prevention is not enough. All of the evidence shows that incidents are going to continue to happen so organizations must prepare for the worst-case scenarios and consider effective incident response a core component to their overall security strategy.

Solving the Incident Response Data Problem

Join Cybereason Senior Director of Incident Response Engineering Jim Hung, and IBM Security X-Force Head of Research John Dwyer (@TactiKoolSec) as they discuss how a design partnership between  X-Force and Cybereason created a new platform to deliver a faster, more efficient approach to IR.

Watch on Demand

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today