Incident Response Orchestration: What Is It and How Can It Help?

May 30, 2017  |  Julia Kisielius

The other day, I invited about twelve friends to my apartment for dinner—on a weeknight. “Don’t worry about bringing anything,” I assured everyone. “I can handle it myself.”

As it turns out, I couldn’t.

While I had plenty of food on hand, I’d never cooked such a large meal by myself before. I had no idea how long it would take to prepare the ingredients, let alone how to time it right so that everything would be ready at the same time.

My very patient friends waited well over an hour for dinner, which was cold when I finally served it to them. (I did give them snacks while they waited. I’m not a monster.)

In spite of the food, everyone had a great time. More importantly, I learned a lesson about the value of orchestration. Essentially, I didn’t need more cooks in the kitchen, just a few simple shortcuts to make the whole process more efficient and allow me to focus on the entire meal, rather than tediously peeling carrots and chopping garlic. 

I was struck by the idea that successful security teams could use some incident response shortcuts to make their work more efficient. That’s what security orchestration is all about.

By using automated incident response to reduce simple and repetitive tasks, compared to having to use multiple tools and involve numerous individuals to do that same task, security teams can save time and focus on security, not process. For example, opening a ticket to have another team update a firewall with a new rule to block a malicious IP can take time that may be exacerbated by the other team’s priorities or miscommunications. An orchestrated, automated incident response can remove much of the friction and improve efficiencies when it comes to incident detection, response, and remediation.

Security teams of every size should consider how the right orchestration solutions can help their IR processes run as efficiently as a well-planned dinner party.

Understanding Orchestration: Automation vs Incident Response Orchestration

Automation refers to replacing one or more manual tasks, which typically slow down incident response, with immediate reactions to security events identified across your environments. Automating certain repetitive tasks can ease the security operations burden and help you respond to threats more quickly—and more effectively.

However, let’s be clear: Just as you wouldn’t want a machine to take over your favorite restaurant, the human element of incident response isn’t going away any time soon. There are certain pieces that require human judgment, which means complete automation may not be preferred for some scenarios.

Instead, security teams should focus on orchestrating the incident response processes that help human security analysts respond to threats as quickly and efficiently as possible.

Elements of incident response orchestration get left out of discussions that focus explicitly on automating individual tasks. For example, switching between an intrusion detection solution and an application where you need to take an action in the event of a breach can slow down the entire incident response process. To take full advantage of incident response orchestration and improve processes across multiple steps and toolsets, look for solutions that help you unify your IR activities within a single solution, like USM Anywhere

What Incident Response Orchestration Can Do for You

Incident response orchestration will look slightly different at every organization—that’s where the human element I mentioned earlier comes into play. As you consider your organization’s incident response plans and compare different solutions that might help you streamline them, there are a few key IR orchestration and automation capabilities you should look for.  

  • Prioritized Security Alerts – For incident response teams, automatic alarm prioritization reduces the burden of researching alarms individually and focuses security resources where they’re most needed. As you evaluate solutions, look for one that helps you focus your attention in the right places right out of the gate.
  • Threat Context – Understanding the full picture is one of the biggest challenges when investigating incidents. To support the incident response process, some solutions, like USM Anywhere, allow you to centrally investigate events aggregated from multiple data sources to help speed up forensic investigation. USM Anywhere also builds context and response guidance into alarms, helping you streamline your response efforts.
  • Automated Incident Response Actions – When malware infects one of your systems, you can employ automated IR actions like isolating or shutting down the system to keep it from infecting other assets. Consider solutions that give you granular control over what you want automated, which allows you to tailor them to fit your organization’s needs and infrastructure.
  • Threat Intelligence Updates – As the threat landscape changes, your incident response plan should adapt accordingly to provide the most optimal response to the threat. For up-to-date threat detection and enough context for effective forensics, seek out a solution that includes actionable threat intelligence updates. Keep in mind that some threat intelligence solutions just provide threat data, meaning you still need to figure out how to apply it. Security teams should look for a solution that continually incorporates new threat intelligence into product updates that assure you’re ready to detect and respond to emerging threats.
  • Bidirectional Response – Some IR orchestration products can interact with each other to streamline your incident response actions. A solution like USM Anywhere, for example, can incorporate and analyze log data from Cisco Umbrella to detect threats, then respond to threats by sending the IP addresses of malicious domains back to Cisco Umbrella to block traffic between the domain and your employees and assets.

While all these capabilities are helpful individually, the power of IR orchestration comes from pulling them together in a way that makes sense for your organization’s workflows and infrastructure. As you compare solutions, consider how they will affect the entire incident response process at your organization. For example, a unified solution like USM Anywhere can shorten the time between detection and response by centralizing your IR activities in one place.

USM Anywhere delivers complete visibility of your security posture and response processes within a single pane of glass, helping you respond to threats quickly and efficiently. The platform layers time-saving IR automation capabilities on top of a foundation of essential security and compliance monitoring capabilities, which include asset discovery, vulnerability scanning, intrusion detection, behavioral monitoring, SIEM, and log management. With new updates from experts on the AlienVault Security Research Team continuously built into your USM Anywhere deployment, your security plan is always up-to-date and ready to detect and respond to the latest threats.

To check out USM Anywhere’s incident response orchestration capabilities with no hassle or setup, explore our  online demo environment  now.

This post is Part One of a three-part blog series on security orchestration. In Part Two, we’ll look at examples of IR automation in action. In Part Three, we’ll dig into the orchestration capabilities built into USM Anywhere.

Share this with others

Get price Free trial