Welcome back to our series highlighting features necessary for a modern security incident management platform. We’ve already looked at how these platforms should facilitate continuous learning and user customization, and now it’s time to look at orchestration and inter-product connectivity.
Product proliferation is one of the main challenges facing SOCs today that is not a direct result of attackers. Analysts have to coordinate a vast security product suite while responding to incidents; this coordination involves repeated context and console switching that leads to ‘dead time’, shaving off vital seconds from incident response time. Today, incident management solutions that align strongly with other security functions will rise to the top of user needs.
Let’s go over some orchestration and inter-product connectivity features that modern incident management platforms should leverage.
If incident management platforms have native security orchestration or integrate with third-party security orchestration platforms, analysts can benefit from harmonizing actions across their security product stack in a single window, preventing the need to switch screens and collate information from disparate sources.
Apart from dwell time, another drawback of product proliferation is a steep rise in the number of alerts. With each product spinning up its own watchlist and red alarms, analysts scramble to perform repetitive actions and ascertain the actual seriousness of the alerts.
If IM platforms align with security automation tools, not only can actions across products be coordinated, but certain number-heavy actions can also be automated to ease analyst load and free them to focus on high-quality problem solving.
If analysts perform actual investigations on the incident response platforms but converse with each other using an isolated collaboration tool, the wealth of data that can be gleaned from their conversations is lost. IR platforms with native collaboration suites or integrations with third-party collaboration tools result in a capturing of all those analyst comments. This not only lets analysts work on a single console while also conversing with the team, but also aids in knowledge management by building a repository of information within the organization.
Although SIEMs perform initial incident enrichment and correlation, analysts often need to buttress that with additional context gleaned from threat intelligence platforms. IM platforms with basic native threat intelligence and integrations with third-party threat intelligence platforms will ensure that analysts get accurate, actionable context from multiple sources while dealing with incidents.
An example in action
Let’s take an example where all this inter-product connectivity bears fruit. Let’s say the SOC’s IM platform ingests potential malware attack data from the SIEM. This automatically sets of a playbook that SOC analysts have built for malware attacks.
The playbook orchestrates across threat intelligence feeds to gather indicator reputation, sandboxes to detonate hashes for deeper study, DNS tools for further domain information, and endpoint security platforms for querying systems and checking their health. All these playbook tasks are automated and result in rich enrichment that provides the analyst with much-needed alert context.
Once the playbook has finished running, the analyst is alerted and views all playbook task results on a collaboration tool window. At first glance, this seems like a tricky incident for the analyst to handle alone, so he calls in one of his colleagues and both analysts now conduct a joint investigation on the collaboration window.
They converse back and forth, swapping initial ideas on what further actions need to be performed. They write the agreed upon actions into a command-line interface in the same window, and the chatbots present within the collaboration tool perform the actions (even those that query external products) before presenting the results on the same console.
With all this data in front of them, the analysts now identify key pieces of evidence that help them reach the root of the problem. They highlight these pieces and add freehand notes to list out the thought process they followed so that knowledge is stored within the organization if someone else looks at this incident response in the future.
That’s it for this edition of our series on modern incident management features. Stay tuned for more drilldowns in the coming weeks! For more cutting edge and informative cybersecurity content, please subscribe to blog and newsletter updates from Demisto.