Going Beyond Incident Response

With the ever-evolving threat landscape, increased concern regarding cybersecurity, and the convergence of IT operations and security, many believe that cybersecurity programs must take an all-inclusive approach in addressing security incidents and data breaches. Traditional incident response models primarily offer technical guidance; they are not designed to help organizations gain a more comprehensive understanding of incidents and their enterprise risk management implications.

Though traditional incident response platforms can provide static playbooks for a one-time remediation of an incident, many organizations are turning to Security Orchestration, Automation and Response (SOAR) technologies for a full-lifecycle, enterprise-wide view on responding to cyber breaches.

Gartner defines security orchestration, automation and response, or SOAR, as technologies that enable organizations to collect security threats data and alerts from different sources, where incident analysis and triage can be performed leveraging a combination of human and machine power to help define, prioritize and drive standardized incident response activities according to a standard workflow. SOAR tools allow an organization to define incident analysis and response procedures (aka plays in a security operations playbook) in a digital workflow format, such that a range of machine-driven activities can be automated.

To give you a peek into the current status of Incident Response and SOAR technologies, Brilliance Security Magazine talked with Stan Engelbrecht of D3 Security.  Stan gave us a tour of their IR platform (IRP) and explained what they see as the significant industry trends related to this area.

Since 2002, D3 Security has provided innovative security operation and incident management solutions. Stan told us, “the company originally started off as a case management and investigations solutions provider.”  Focused originally on corporate security, they evolved along with the security risks and concerns of their clients. In 2013, at the behest of their corporate security clients, they started to build out the cybersecurity side of their platform. They feel these origins in corporate security and their evolution to include cybersecurity threats gives them a more comprehensive insight into the overall threat landscape.  To illustrate his point, Stan posed the hypothetical question, “how do you classify a stolen laptop computer?  Is it a corporate security loss of property, or is it a loss of critical data and credential information that could be used in a breach?”  Obviously, it is both and should be handled as such seamlessly, without the need for cross-organizational collaboration.

Offered by a small but growing number of vendors, IRPs help coordinate tasks and status updates across incident handling stages, and in most cases, integrate with security information and event management (SIEM) platforms to streamline management of event-alerts.

Increasingly, however, security leaders want to use data from their SIEM to help build detailed malware profiles and support deeper post-event investigations, which are not supported by the integration capabilities of traditional IRPs.

The focus on task orchestration and one-time remediation is yet another gap, which limits the analyst’s ability to have a comprehensive view of IOCs, and increases the risk of recurring incidents. For example, when processing a malware incident, the IRP will gather signatures and behaviors of the malware, which can be used to identify future infections. But such information is strictly reactive: it does not tell you how that threat came into your organization, and how to stop it from happening again. Without systematic root cause resolution built into the workflow, an organization cannot remediate conclusively and eliminate the risk of recurrence. Instead, IRPs force analysts into a whack-a-mole approach to cyber incident management, ultimately increasing incident volumes and straining cybersecurity resources.

D3’s incident management platform provides responders with incident-specific playbooks that can be automatically enriched with threat intelligence and other contextual data. But unlike traditional IRPs which focus solely on technical security guidance, D3 also provides templates for threat hunting, impact assessments, malware profiles, and a variety of other activities, that help guide the entire cybersecurity function. Dedicated workflows for data retention, eDiscovery, and compliance are also provided to non-security stakeholders such as human resources, forensic or general counsels.

Many incident response analysts spend the bulk of their time gathering contextual data to understand and respond to alerts. D3’s automation saves you that time by instantly populating incident reports with reputation data drawn from third-party sources like VirusTotal and DomainTools. This includes a reputation ratio, contextual data, and whether or not the file, domain, URL, or IP is known to be malicious. Uniquely, D3 can query multiple hashes that are implicated in a single incident record.

The foundation of a strong incident response program is the playbooks you use to guide your processes. Playbooks ensure that your entire team is working together following proven steps, and expedite response times by removing uncertainty. Strong playbooks can elevate the contributions of junior employees, by embedding industry best practices and the wisdom of senior personnel into the workflow. D3 has a library of industry-standard playbooks, primarily built to the NIST 800-61 standard, but also including other frameworks such as SANS. In addition to the playbook library, D3 allows for full or partial customization, so that you can adapt the system to your precise needs.

Every field in D3 is reportable, making it easy to visualize data in dashboards, link analysis, charts, trend reports, or summaries for senior management. D3’s reporting features also support the important process of post-incident reviews, with information like root cause, time to detection, response playbook used, and lessons learned.

D3’s automation features help contextualize, prioritize, and streamline your incident response. Automatic SIEM event escalation makes it easy to investigate all potential threats. By gathering alerts and correlating against threat intelligence, D3 paints a full picture of the threat, saving the analyst significant time and eliminating human error. D3 assigns a risk score for every alert. Serious incidents are automatically assigned to senior analysts, with color coding and alerts for at-a-glance management. Less serious incidents, or likely false positives, can be directed to the queue of more junior team members.

D3’s automation and orchestration features make it possible to free up analysts from busywork, only involving them when their expertise is required. For routine tasks, D3 can orchestrate across your security systems to identify and contain low-level threats. In order to standardize your procedures and get maximum value out of junior investigators, D3 guides you through the investigation process, with detailed steps, suggestions, interview scripts, email templates, and more.

Incident management platforms, such as offered by D3 Security, provide a more complete solution because they bring together all the best features of an IRP, along with the much-needed case management, entity profiling, root cause analysis and enterprise risk management components.