Six steps for building a robust incident response strategy

01

3 min read

Introduction

Intelligent incident response

Most organizations operating in a highly connected digital world realize that it is not enough to simply detect and prevent cyberattacks, they also need to respond – quickly and efficiently. IBM Security SOAR, a security orchestration, automation and response (SOAR) platform, was developed for just this purpose: to help security teams respond to cyberattacks with confidence, automate with intelligence and collaborate with consistency. The platform helps security teams to manage, coordinate, and streamline the entire incident response process.

IBM Security has worked with organizations across various industries to implement IBM Security SOAR to develop more sophisticated and robust incident response functions. These organizations build incident response processes that are consistent, repeatable, and measurable rather than ad hoc. They make communication, coordination, and collaboration an organization-wide priority by leveraging technology that can empower the response team to do their job faster and more accurately.

However, there are challenges to building and managing a robust incident response capability. Three challenges stand out:

  1. The volume and sophistication of cyber security incidents is increasing. Forty-one percent of cyber security professionals say cybersecurity analytics and operations are more difficult today than they were two years ago because the threat landscape is evolving and changing so rapidly, according to Enterprise Strategy Group (ESG).1
  2. Security teams are struggling to fill open positions. 500,000 cyber security jobs remain unfilled across the industry as of 2020, according to CyberSeek.2
  3. Teams are managing a complex security environment with a dizzying number of disconnected tools. According to ESG, 35% of organizations use 26 or more disparate technologies from as many as 13 vendors for security analytics and operations.3
Statistics

To solve these challenges, many IBM Security SOAR customers are striving to maximize the productivity of their security teams by understanding who is responsible for which tasks, when tasks need to be done, and how to accomplish them, a concept known as security orchestration.

Security orchestration empowers security analysts by putting incident response processes and tools right at their fingertips. Accessing important incident information quickly, leveraging automation, and taking decisive action increases the productivity of security analysts and technologies — in turn, alleviating the skills gap and the volume of alerts.

But security orchestration is a process, not a product. It requires strong foundational blocks — trained people, proven processes, and integrated technologies. Orchestration is built on these core elements, and the effectiveness of an organization’s orchestration efforts lies entirely on the quality of these fundamental pieces.

Mapping your incident response maturity

Over the years, IBM Security SOAR customers have increased their incident response sophistication at various levels across a maturity spectrum. Maturity levels are often defined by industry, available resources, or experience, and most IBM Security SOAR customers continually look to evolve their incident response function into a more advanced phase.

With the help of these customers, the IBM Security SOAR team has developed an incident response maturity model. This model maps the journey from an ad hoc and insufficient incident response function to one that is fully coordinated, integrated, and primed for continuous improvement and optimization.

The road to orchestrated incident response starts with empowering people, developing a consistent, repeatable process, and then leveraging technology to execute. This guide outlines the key steps to building a robust incident response function.

Incident Response Maturity Model
1 ESG Global, SOAPA: Unifying SIEM and SOAR with IBM Security QRadar and IBM Security SOAR
3 ESG Global, SOAPA: Unifying SIEM and SOAR with IBM Security QRadar and IBM Security SOAR

Methodology

In order to gain a better insight into the possibilities for improvement of the product range, semi-structured interviews were conducted with 8 returning customers from the main target group of Company X.

02

5 min read

Step 1

Understand the threats that affect your organization

Every organization faces a unique threat landscape and building out your incident response function to develop a detailed understanding of this landscape is the first step.

The threat landscape will depend on the nature of the cyberattacks facing your organization. This may include specific threats that your organization has addressed in the past (for example, malware or phishing attacks) as well as threats that are known to affect your industry broadly (such as ransomware attacks on healthcare organizations or distributed denial of service attacks on internet infrastructure companies).

Geography also plays a role in the type of cyberattacks your company is likely to experience. North America, for example, accounted for 44% of incidents in 2019, with business email compromises, ransomware, and nation states targeting the financial sector, being the most common. Europe, on the other hand, experienced 21% of incidents but their most common attacks were entirely different, ranging from remote desktop protocol compromises, Point-of-Sale (POS) malware, and insider threats.4

Additionally, a robust threat model should consider all possible actors and incidents. For example, the finance and insurance industry, the most attacked industry four years in a row, is the target of cyber threat actors motivated by the allure of potentially significant and rapid payouts. Yet, while finance and insurance companies tend to experience a high volume of attacks, they publicly disclose a smaller number of data breaches, indicating their effectiveness at detecting and containing threats before they turn into major incidents. In addition, financial companies are more inclined to test their incident response plans, in turn, helping to improve their preparedness and mitigate financial damages. 5

The spectrum of possible cyber incidents your organization may face is broad and each warrants its own incident response process.

To get started, among the questions you might ask are:

  • What kinds of attacks or adverse incidents has our organization experienced in the past?
  • Have we sustained a malware infection in the recent past? If so, what kind of malware (botnet, theft of data, ransom)? When and for how long did the incident last and how was it resolved?
  • Have our employees been the victims of targeted phishing email scams designed to steal employee credentials? If so, which employees?
  • Has our organization been the subject of criticism in popular online forums or by hacktivist groups or other online personalities?
  • Has our organization been specifically targeted by a DDoS attack or other form of intentional online disruption?

In attempting to understand the threats facing your organization, consider what types of attacks your competitors, business partners, and peer companies have encountered. Have you seen similar attacks? Leveraging external threat intelligence tools, such as X-Force Exchange, and frameworks like MITRE ATT&CK, which standardize attacker information, also provide valuable inputs in assessing the threat landscape.

Preparing for privacy breaches

While cyberattacks themselves can have a significant impact on an organization, so can data breaches.

  • What data are you collecting and why?
  • What are your privacy obligations — including industry regulations, state/federal data breach laws, and contractual agreements?
  • When do you need to provide notification of privacy breaches (factors often include breach size and whether the data was encrypted — but vary across geographies and industries)?
  • Who needs to be notified (customers, attorney general’s office, others) and how?
  • What is the time limit for notification?

Staying abreast of privacy obligations is a challenge for many security and privacy professionals and complicated by the growing number of global, state, and industry regulations. The European Union’s General Data Protection Regulation, or GDPR, which went into effect in May 2018, was a major catalyst of change in privacy regulations.

GDPR was one of the biggest developments in privacy in decades. For most organizations, fulfilling data breach notification requirements was already a significant challenge. GDPR added another complex layer to that sentiment.

— Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute

GDPR is a privacy law that introduced steep, sweeping changes and helped to lay the foundation for similar laws in other countries. At a minimum, it applies to any organization globally that does business with European Union citizens or organizations, includes a 72-hour window for data breach notification for some scenarios (which is much tighter than most current laws in the U.S.), and can impose penalties for non-compliance.

New regulations are taking affect in the U.S. as well. The California Consumer Privacy Act (CCPA) may be the most well-known but other states and countries are also amending their breach notification laws to include tight restrictions. When it comes to incident response, this can present a significant challenge for organizations that do not feel confident in their ability to comply with emerging data privacy regulations. Expanding definitions of “personal information,” reduced time frames to report data privacy breaches, and new requirements for reporting privacy breaches to supervisory authorities are all key factors organizations will need to be aware of going forward.6

Assessing your organization

The threat landscape is not just the external factors and risks that may impact your company, but also internal challenges and shortcomings. As described earlier, the cybersecurity skills gap is a challenge that the industry will need to manage for the foreseeable future — and organizations should assess how it impacts them today and work to manage it.

To identify your internal skills gap, evaluate your current skills versus the skills you will need to effectively address and manage external threats. Performance metrics such as time-to-completion on individual tasks and workload balance are good indicators of the skills you have today and where the gaps are. By using tabletop exercises and analysis, you can further evaluate skills and capabilities inside the security operations center, assess the team structure, and find additional gaps you may have overlooked. In some instances, it may be beneficial to work with a security services firm who can conduct a formal analysis and provide recommendations.

Finally, your threat landscape — the attacks you face, regulations you must comply with, and your organizational skills shortage — is a continually evolving assessment. As the cybercrime market, privacy regulations, and other industry trends shift, the landscape will too. Be sure to set regular intervals to review and update your threat landscape accordingly.

Learn how Secure-24 uses IBM Security SOAR to speed up investigations.

4 IBM Security X-Force Threat Intelligence Index 2020
5 Ibid.

Methodology

In order to gain a better insight into the possibilities for improvement of the product range, semi-structured interviews were conducted with 8 returning customers from the main target group of Company X.

03

3 min read

Step 2

Build a standardized, documented, and repeatable incident response plan

Surveys indicate that insufficient planning and preparedness is still the single biggest barrier to cyber resilience today. It is, perhaps, not surprising then that most organizations do not have a proper incident response plan in place. According to the 2020 Study on the Cyber Resilient Organization conducted by the Ponemon Institute, only 26 percent of organizations have a cyber security incident response plan (CSIRP) in place and applied consistently across the organization. The remaining 74 percent either don’t have a plan at all, follow informal, ad hoc processes, or don’t have a plan that is not consistently applied across the organization.7

Statistic

As a result, many incident response functions are slow, inefficient, and ineffective, which increases the likelihood of a costly, damaging cyberattack, adds to employee dissatisfaction and burnout, and puts security leadership jobs at risk. However, having a standardized, documented, and repeatable incident response plan addresses these risks and ensures your team knows exactly what to do and when and how to do it. It also provides a platform for continual improvement, enabling your organization to stay ahead of ever-evolving cyber threats.

The challenge: creating a proper incident response plan is time-consuming and requires a dedicated, organization-wide effort. To that end, security leadership needs to make incident planning a priority. Teams should work together to guide and execute investigation and response actions consistently with documented and standardized response plans. The emphasis on collaboration helps teams react faster, coordinate better, and respond smarter to threats, while prioritizing tasks and actions to ensure every security analyst knows their roles and responsibilities.

Your team should also engage with executives and, occasionally the board of directors, to ensure they understand the risks and inform other relevant leaders that they will be expected to contribute, including marketing, HR, legal, IT, and other business units.

An incident response planning workshop can ensure that your team’s stakeholders come together to develop consistent, documented, and standardized response plans.

During the workshop, your teams (with security leadership’s guidance) can come together to walk through specific incident scenarios and:

  • Map out specific steps that need to be taken to resolve an incident throughout its lifecycle
  • Determine roles and responsibilities
  • Identify the key technologies and channels of communications to be leveraged during a response
  • Build processes around permissions and escalations

Resources like NIST, SANS, and CERT can provide great frameworks for these conversations and plans — but, ultimately, your incident plans will need to be specific to your organization. Therefore, it is important to involve all contributors across the organization. You will need to tap the know-how and experience of your existing IT and security teams, key stakeholders within your organization, as well as executives, and legal and compliance officers. External third-party entities like business partners and suppliers can also be part of the conversation.

By the end of these exercises and conversations, your team should have well-thought-out, repeatable, and documented plans that can be centralized, followed by anyone on your team, and continually improved upon over time.

Learn how KBC implemented IBM Security SOAR and gained centralized incident response visibility.

7 2020 Study on the Cyber Resilient Organization conducted by the Ponemon Institute

Methodology

In order to gain a better insight into the possibilities for improvement of the product range, semi-structured interviews were conducted with 8 returning customers from the main target group of Company X.

04

2 min read

Step 3

Proactively test and improve incident response processes

Cyber adversaries are continually striving to gain new advantages, requiring security teams to make staying ahead of threats a priority.

One of the most effective ways to keep incident response capabilities driving forward is running simulations — and doing them in a dedicated, results-driven manner.

Incident response simulations provide a useful method for overcoming the “insufficient planning and preparation” barrier. Simulations ensure that the entire incident response function — people, processes, and technology — are primed and ready for real-world incidents, while also uncovering opportunities for future improvements.

Person on computer

To start, security leaders should plan upfront to make the simulation meaningful and decide if they want to practice a commonly seen incident, or prepare for something unexpected. It may be beneficial to explore an approach such as ‘commander’s intent,’ which is often used by cyber range teams. Commander’s intent is a leadership tool that originates from the military and is focused on clearly and concisely communicating the purpose and end state during a crisis, such as a large scale cyber security incident. The benefit is that teams know precisely how to respond during high pressure situations, even if the commander is unavailable.

Security leaders should also build specific, thoughtful simulations that include important details analysts will need to find. In other words, make your team think critically about the simulation and ensure it is more than just a check-the-box exercise.

Additionally, make the simulations measurable. Set goals and track key metrics such as mean-time-to-resolve and level of completeness. Replay simulations to measure improvements (or regressions).

Finally, make incident response simulations an organization-wide event. Include participants from HR, legal, marketing, and other groups to ensure they will be ready to play their parts when a real incident occurs. Consider using a cyber range in order to train your staff and practice a real-world simulation in an immersive environment. Similarly, share the results of the postmortem analysis across the organization. This will help keep the team accountable and educate leadership on where and what resources are needed.

Methodology

In order to gain a better insight into the possibilities for improvement of the product range, semi-structured interviews were conducted with 8 returning customers from the main target group of Company X.

05

3 min read

Step 4

Leverage threat intelligence

Cyber criminals are working together — collaborating and sharing information across the dark web. Security professionals need to be working together too.

Collaboration not only increases knowledge but shortens response time as well. A recent survey by the SANS Institute found that 80% of respondents cited reduced time to respond to threats as a major benefit of Cyber Threat Intelligence, with 32% calling the benefit “significant.”8

The threat intelligence industry has grown significantly in recent years, and for good reason: security teams are seeking better insight and awareness into the activity in their environments.

Leveraging threat intelligence helps increase awareness of potential threats. However, there are challenges to using it effectively. Security teams often need to navigate countless feeds of varying quality as well as manage the signal-to-noise problem. Organizations need to adopt a collaborate with consistency mindset, regularly sharing information through the most efficient communication means so they can react faster, coordinate better, and respond smarter to threats.

Fortunately, many IBM Security SOAR customers have years of experience implementing and experimenting with a variety of threat intelligence feeds. Based on their combined experiences, here are three key takeaways to effectively leverage threat intelligence for better incident response:

  • Anchor threat intelligence in incident response plans.
    By grounding threat intelligence data into existing incident response processes, analysts can escalate indicators of compromise (IoCs) into incidents. They can access vital information about potential threats when needed —using the available intel when relevant to the circumstances they face, leading to huge improvements in time management and team effectiveness.
  • Use integrations and correlation to make threat intelligence actionable.
    By integrating threat intelligence with other data sources like SIEMs and EDR tools as well as internal data sources like LDAP and CMDB, analysts can gain fuller context of the incident, making the information more actionable. They can refine and target the scope of the data by considering the context, severity, and patterns. This helps analysts better understand the severity of the incident and what actions to take.
  • Track and measure the usefulness of your sources.
    There are plenty of intel feeds but none are one-size-fits-all. Examples include open source, closed communities, commercial sources — and the threat intelligence platforms themselves. Record how often individual feeds provide information and the quality and criticality of the information provided. You will soon discover if certain feeds are redundant or need to be adjusted in any way.

As explored further in upcoming sections, security orchestration, automation and response (SOAR) solutions such as IBM Security SOAR can automate much of the manual portions of incident investigation and response. Incident response processes can be designed and orchestrated with visual workflows based on tasks to provide visibility to the analyst working on the incident. Security analysts are able to see how seemingly disparate incidents might be related by noting the commonalities between them — such as IT assets involved, malicious software used, malicious infrastructure communicated with, and so on.

Statistic

Organizations that can identify incidents and grasp the disparate artifacts that make up the story of a breach will drive down response times from days or weeks to hours. This also helps to implement practical controls in areas like user access, data security, and communications that will prevent future incidents from occurring.

In a study conducted by the SANS Institute, 90 percent of respondents said improving visibility into threats and attack methodologies impacted their security posture, with 43% percent of those respondents saying it had a significant impact.9

8 The SANS Institute, The Evolution of Cyber Threat Intelligence (CTI): 2019 SANS CTI Survey.
9 Ibid.

Methodology

In order to gain a better insight into the possibilities for improvement of the product range, semi-structured interviews were conducted with 8 returning customers from the main target group of Company X.

06

3 min read

Step 5

Automate incident investigation and response

As noted in the 2020 Cost of a Data Breach Report from the Ponemon Institute, the time to identify and contain a breach is currently 279 days.10 With cyber incidents lasting undetected for weeks or months, malicious actors have the opportunity to establish a beachhead on compromised networks that can be difficult to remove.

Statistic

One reason it takes so long is that most organizations rely on ad hoc processes for detecting even straight-forward cyber incidents like phishing attacks on employees — and because of the skills gap, organizations who have the right tools and technology may struggle to find enough resources to efficiently manage the deluge of incidents.

As organizations add integrated data and threat intelligence sources to their incident response processes, the opportunities to orchestrate responses in a sophisticated way grows — starting with the automation of low-level tasks.

Automation is a useful method of streaming menial, repetitive tasks and making your team faster and smarter. When used in a broader incident response orchestration strategy, automation can empower your team to be strategic decision makers.

In the case of an outbreak of malware, for example, a suspicious sample detected on one endpoint can be automatically grabbed and fed to an endpoint agent or next-generation threat detection platform to observe and classify. Based on the outcome of that analysis, further automated and manual processes can be queued up: identifying other infected hosts on the network and requesting permission to quarantine them, identifying a vulnerability associated with that malware infection and scheduling emergency patches to vulnerable systems, or firing off requisite notifications to internal staff or external monitors, for example. At each stage, requests, responses, and actions can be documented for future reference.

It is not hyperbole to say that cyber resilience and automation go hand in hand. In a recent study conducted by the Ponemon Institute, not only did those surveyed say they considered the importance of both cyber resilience and automation very high (61% and 73% respectively) but 63% of respondents also said their organizational leaders recognize that investments in automation, machine learning, artificial intelligence and orchestration strengthen their cyber resilience. 11

As a first step in leveraging automation, pinpoint the right processes to streamline. These are often time-consuming, menial, and inefficient tasks that take up inordinate amounts of analysts’ time and can be safely and reliably automated. Security leaders should also analyze the risk and complexities of automating a process versus the potential efficiencies gained.

To ensure safe and reliable automation, test the processes’ fidelity. Script manual actions that keep human decision making and approval involved. Once your team has confidence that the process is right and the technology works properly, you can decide to fully automate.

It may take time to define the process but once implemented, automation can be a huge time saver in the long run, reducing time to find, respond to, and remediate complex cyber threats, while aligning security ecosystem and external threat intelligence. Streamlining and automating manual and repetitive tasks also frees up analysts to focus on high-value investigation and response activities.

However, it is important to note that while technology-based automation can save time, it is only as strong as your overall incident response function — and is most effectively leveraged in an orchestrated incident response strategy.

Learn how TalkTalk reduced incident containment time with IBM Security SOAR.

10 IBM Security Cost of a Data Breach Report 2019, study conducted by the Ponemon Institute
11 2020 Study on the Cyber Resilient Organization conducted by the Ponemon Institute

Methodology

In order to gain a better insight into the possibilities for improvement of the product range, semi-structured interviews were conducted with 8 returning customers from the main target group of Company X.

07

3 min read

Step 6

Orchestrate across people, process, and technology

The promise of security orchestration and automation — making response faster and more automated — has drawn the attention and interest of many security experts across the industry. However, successful and effective orchestration and automation requires a strong overall incident response strategy and foundation. The prior steps in this guide have been created to help ensure these fundamental building blocks are well-thought-out, strong, and primed for future improvements. To summarize, here are essential questions to ask when assessing the strength of your incident response foundation:

People: Have you ensured your incident response team is well-coordinated and well-trained? Do they have the right skills to address all aspects of an incident’s lifecycle? Do they have means for consistent collaboration and analysis?

Process: Do you have well-defined, repeatable, and consistent incident response plans in place? Are they easy to update and refine? Are you regularly testing and measuring them?

Technology: Does your technology provide valuable insight and intelligence in a directed fashion? Does it enable your team to make smart decisions and quickly act on those decisions?

People

By addressing these questions, you can ensure your orchestration efforts will align to these building blocks effectively. If you have not developed this foundation, the benefits of orchestration will be marginal.

The goal of security orchestration is to empower the response team by ensuring they know exactly what to do when a security incident strikes and have the processes and tools they need to act quickly, effectively, and correctly.

Security orchestration, automation and response (SOAR) platforms are growing in popularity among cyber security professionals. According to Gartner, by year-end 2022, 30% of organizations with a security team larger than five people will leverage SOAR tools in their security operations, up from less than 5% today.12 While SOAR platforms encompass both orchestration and automation, there is a critical distinction.

Orchestration supports and optimizes the human-centric elements of cyber security — such as helping to understand context and decision making — and empowers them as central to security operations. This is an important distinction because security threats are uncertain problems. Responding to a threat is hardly ever a cut-and-dried issue.

Automation is a useful tool for quickly and effectively executing specific tasks — but since threats are often evolving and adversaries are changing tactics, human decision-making is needed to step in for things like escalating issues or troubleshooting. Furthermore, automation is an effective tool in the broader orchestration process, but it is the human element that makes orchestration the game-changer that it is.

Orchestration applies differently to each specific organization. It should map to your unique threat landscape, IT and security environments, and company priorities. For a quick example, the following is a classic use case of how orchestration is employed in many of the organizations IBM Security SOAR works with.

Chart

In the top left of the graphic, as an incident is escalated from a SIEM alert, a record is automatically created in the organization’s SOAR platform. From there, in the bottom right, the platform automatically gathers and delivers valuable incident context from the builtin threat intelligence feeds and additional sources. From here, security analysts already have critical information when they step in and take control. These analysts can leverage numerous integrations to manually take on additional tasks deemed necessary — including gathering more information about an incident from other security tools (such as endpoint security tools or web gateways) or starting to remediate the issue by alerting the IT help desk or going to the identity management tool to block users access to critical applications.

There are many ways to orchestrate incident response processes, but the goal is always the same: put security analysts in the best position to respond to threats.

12 Gartner, Market Guide for Security Orchestration, Automation and Response Solutions, June 2019

Methodology

In order to gain a better insight into the possibilities for improvement of the product range, semi-structured interviews were conducted with 8 returning customers from the main target group of Company X.

08

1 min read

Conclusion

Building a resilient, response-ready organization

It is tempting to imagine that technology advancements will soon turn incident response into a push button function that can be performed by junior employees. The truth is that incident response is, and will continue to be, complicated and multifaceted and will require the attention of experienced security analysts.

Mature incident response is part of a continuum. The job of technology is not to replace human analysts, but to empower them to do more: respond to incidents with confidence, automate with intelligence, and collaborate with consistency. This mindset helps organizations prioritize incident response with a clear picture of the relationships between artifacts and incidents and store that organizational knowledge for later use.

Additionally, a mature cyber security incident response function can beget a larger, cultural transformation within your organization: integrating the security team more closely with IT operations and management and enlisting them in the process of responding to cyber incidents in a comprehensive way.

As incident response processes mature, organizations enter a phase of proactive response, in which information gleaned from incident response becomes strategic to an organization. With proactive response, intelligence from the incident response team can be fed back into the security and IT organization — shaping technology investments and acquisitions, sharpening employee skill sets, and broadening an organization’s understanding of risk to encompass a broader ecosystem of physical security assets and providers, threat intelligence providers, regulators and government agencies, and more.

While few companies — even within the Fortune 500 — have achieved this level of maturity, we expect the strategic application of incident response to become more common as more firms adopt security, orchestration automation and response platforms in the coming years.

Methodology

In order to gain a better insight into the possibilities for improvement of the product range, semi-structured interviews were conducted with 8 returning customers from the main target group of Company X.