What is incident response?

Incident response is an organization's systematic reaction to an information security breach attempt.

View of a skyscraper

Incident response explained

A security breach can cripple operational functionality, cause data leaks, damage a company's reputation and cause regulatory complications. And for threats that get past defenses, organizations need the tools and know-how to respond quickly and effectively. Unfortunately, most organizations rely on ad hoc processes for investigating even straight-forward cyber incidents like phishing attacks on employees. Only 26% of organizations have an enterprise-wide incident response plan, according to the fourth annual “The Cyber Resilient Organization,” as summarized by “Cyber Resilience Study: Incident Response Plans and Security Automation Set High Performers Apart” (link resides outside of ibm.com). And because of the skills gap, organizations with the right tools and technology might struggle to find enough resources to manage the deluge of incidents efficiently.

As organizations add integrated data and threat intelligence sources to their incident response efforts, the opportunities to orchestrate responses in a sophisticated way grow, starting with the automation of low-level and repetitive tasks. Three driving challenges stand out: incident volume, unfilled jobs and tool complexity.

Incident volume
The volume of cybersecurity incidents is increasing. Cybersecurity professionals say security alert volume has increased in the past two years. And previously, they said their organization ignores a significant number of security alerts because they can't keep up with the volume.¹

Skills gap
Security teams are struggling to fill open positions. 500,000 cybersecurity jobs remain unfilled across the industry as of 2020.²

Tool complexity
Teams are managing a complex security environment with a dizzying number of disconnected tools. According to ESG, 35% of organizations use 26 or more disparate technologies from as many as 13 vendors for security analytics and operations (ESG Global, SOAPA: Unifying SIEM and SOAR with IBM Security QRadar and IBM Security Resilient).

Organizations can counter their challenges in three key ways:

  1. Build incident response processes that are consistent, repeatable and measurable, rather than ad hoc.
  2. Make communication, coordination and collaboration an organization-wide priority.
  3. Use technology that helps the response team do their jobs faster and more accurately.


What are security incidents?

A security incident occurs when an entity attempts to gain unauthorized access to an organization's data infrastructure or security policy, putting sensitive information at risk. Inside or outside, attackers make up the primary source of attempts. Attackers are a threat to organizations because they can target any vulnerability in infrastructure using various techniques at any time.

Four common security incidents are distributed denial-of-service (DDoS) attack, malware, ransomware, phishing and insider threats.

DDoS attack

A DDoS attack is an attacker's attempt to congest traffic to a target application or an internet application, bombarding them with a high volume of requests.

Malware and ransomware

Malicious software, or malware, is software created to damage, disrupt or gain illegitimate access to a client, computer, server or computer network. Ransomware, a form of malware, threatens to destroy or withhold a victim's data or files unless a ransom is paid to unencrypt and restore access.


Phishing is a fraudulent attempt, usually by email, to obtain sensitive information while masquerading as a reputable entity or person. It leverages human emotion to create a sense of urgency and elicit a reaction. Since phishing is ubiquitous in work environments, it's a constant threat, ranking as the top infection vector in the IBM X-Force Threat Intelligence Index 2020. 

Insider threats

Insider threats come from users who have authorized and legitimate access to a company's assets and either deliberately or accidentally abuse them. Insiders typically know where an organization's sensitive data lives and have elevated levels of entry, regardless of whether they have malicious intentions or not.

Logging security data

How exactly are attempts recognized as potential threats and therefore considered security incidents?

The only way to possibly be aware of security incidents is through comprehensive log data collection. Any organization's centralized log collection and security event detection should include, but not be limited to, this list of log sources:

Internal data collection

  • Firewalls
  • Routers and switches
  • Intrusion prevention systems (IPS)
  • Netflow systems
  • Web filters
  • Data loss prevention (DLP) systems
  • Email servers and spam filters
  • Servers, database management systems and applications
  • Endpoints
  • Physical security systems
  • Environmental control systems
  • Proxies
  • Wireless access points
  • Vulnerability scans

External data collection

  • Vendor security advisories: Mature manufacturers of hardware and software products publish their security advisories to warn their customers about threats and solutions, usually in the form of patches, but sometimes in other forms of remediation.
  • Open-source security advisories: Organizations such as MITRE and Secunia publish threat information. Sometimes these advisories are released earlier than manufacturers' advisories.
  • Law enforcement and news media: Larger law enforcement organizations such as the U.S. Department of Homeland Security and the Federal Bureau of Investigation publish advisories to the public or trusted parties.
  • Commercial solutions: Threat intelligence feed sources, including IBM X‐Force Exchange, are available in the form of advisories and electronic feeds.

Analyzing security data

There's a lot more to prevention, detection and response than storing gigabytes or petabytes of log data. It must be analyzed in real time, so actual threats can be immediately identified, allowing personnel to respond and stop the threat.

One effective means for detecting threats is to observe systems and networks for anomalies. Long-term observation of system behavior and network traffic creates a baseline of activity for a threat detection program. Whenever anything on the system or network pops up that hasn't been seen before, the threat detection application generates an alert so personnel can take action and investigate.

Anomalies can be discovered through automatic rules and specific search criteria, but the point is to identify significant changes in how people act. The rules or criteria can also identify the number of network connections occurring for applications, the amount of data being transferred between local and external IP addresses or oddball logins during unusual hours. All of these conditions warrant investigation.

Tying it all together with SIEM and SOAR
A security information and event management (SIEM) system is the core of every threat management environment. Ingesting gigabytes or terabytes of log data each day, a SIEM collects log data from every kind of system and device. It helps a security analyst team detect anomalies and trends that may be early indicators of attack reconnaissance, attempted or successful exploitation of vulnerabilities, command and control, or data exfiltration. Then it performs real-time analysis and correlation to quickly alert personnel of unwanted activities occurring in the environment that require priority attention. When security incidents are determined, a SIEM escalates alerts to a security orchestration, automation and response (SOAR) tool for the incident response team to investigate and remediate.

Incident response automation

Automation is a useful method of streaming menial, repetitive tasks to enable your team to work faster and prioritize higher-value alerts. When used in a broader incident response orchestration strategy, automation can empower a security team to be more efficient, enabling them to make strategic decisions.

For example, in a malware outbreak, a suspicious sample detected on one endpoint can be automatically grabbed and fed to an endpoint agent or next-generation threat detection platform to observe and classify. Based on the outcome of that analysis, other automated and manual processes can be queued up:

  • Identifying other infected hosts on the network and requesting permission to quarantine them
  • Identifying a vulnerability associated with that malware infection
  • Scheduling emergency patches to vulnerable systems or firing off requisite notifications to internal staff or external monitors.

And, at each stage, requests, responses, and actions can be documented for future reference. However, it's important to note that while technology-based automation can save time, it's only as strong as an overall incident response function as part of an orchestrated incident response strategy.


  • Have you ensured your incident response team and stakeholders are well-coordinated and well-trained?
  • Do they have the right skills to address all aspects of an incident's lifecycle?
  • Do they have a means for collaboration and analysis?


  • Do you have well-defined, repeatable and consistent IRPs in place?
  • Are they easy to update and refine?
  • Are you regularly testing and measuring them?



  • Does your technology provide valuable insight and intelligence in a directed fashion?
  • Does it enable your team to make smart decisions and quickly act on those decisions?

How a basic incident response plan works

How do organizations respond when serious cyber threats or incidents occur? Although security incident response is a well-known process, many organizations are underprepared for even minor incidents. As part of incident response orchestration, they need an effective incident response plan (IRP).

Here are some standard incident-response-plan steps organizations go through:

Step 1: Early detection
A security incident occurs, and the system detects it. The SIEM platform triggers an alert and escalates it to the incident response team.

Step 2: Analysis
Analysts respond to the threat study indicators of compromise associated with the incident to determine legitimacy. They often study precursors, too, to see if they're related. To build a complete picture of the suspected incident, analysts might run further tests, triage threats and filter out false positives.

Step 3: Prioritization
Analysts seek to understand the incident's effect on the organization's capability to continue processing critical information and its effect on the data's integrity and confidentiality. Prioritizing an incident helps teams understand how to manage resources in subsequent steps.

Step 4: Notification
First, incident responders notify appropriate personnel within the organization. If necessary, the organization notifies external parties, such as customers, business partners, regulators, law enforcement or the general public. Typically, the decision to inform any external party rests with a senior executive.

Step 5: Containment and forensics
Incident responders take steps to stop the incident and prevent it from recurring. Also, they collect forensic evidence for further investigation and possible future legal proceedings if needed.

Step 6: Recovery
Incident responders remove malware (eradication) from affected systems, rebuild systems, recover from backups, patch systems and take steps to return to normal operations and prevent similar incidents from recurring.

Step 7: Incident review
To prevent the incident's recurrence and improve a future response, security staff review the steps leading to the recent incident's detection and response and identify its root cause. They identify aspects that went well and look for opportunities to improve systems, tools, processes and personnel training, including remediation and mitigation recommendations

What is incident response orchestration?

Incident response orchestration requires three foundational blocks: trained people, proven processes and integrated technologies. Orchestration aligns the right people, process and technology, so that incident response analysts understand who is responsible for which tasks, when tasks need to be done and how to do them. People—in the form of a computer security incident response team (CSIRT)—can include human resources, legal and public relations personnel.

Orchestration empowers security analysts by putting incident response technological processes and tools right at their fingertips. They can access important incident information in an instant, make accurate decisions and take decisive action. And technology's automation increases security analysts' and other tools' productivity, alleviating the skills gap and the alert volume.

Here are six principles in building a robust incident response function for orchestration. Note: Orchestration applies differently to each specific organization. It should map to their unique threat landscape, IT and security risk assessments, and company priorities.

Understand threats
Surveys indicate that insufficient planning and preparedness is still the single biggest barrier to cyber resilience today. It's, perhaps, not surprising then that most organizations don't have a proper IRP in place. The plan should be standardized, documented and repeatable. See section: How a basic incident response plan works.

Build an IRP
Analysts respond to the threat study indicators of compromise associated with the incident to determine legitimacy. They often study precursors, too, to see if they're related. To build a complete picture of the suspected incident, analysts might run further tests, triage threats and filter out false positives.

Test and improve processes
Cyber adversaries are continually striving to gain new advantages, and cybersecurity teams need to make staying ahead of a priority. So, teams must proactively test and improve incident response processes to meet and exceed an organization's security needs.

Use threat intelligence
Cybercriminals are working together, collaborating and sharing information across the dark web. Security professionals should be working together, too. Use and contribute to external sources like vendor and open-source security advisories, law enforcement and news media, and commercial solutions.

Streamline incident investigation and response
With ad hoc processes, cyber incidents can go undetected for weeks or months, allowing malicious actors to establish a beachhead on compromised networks that can be difficult to remove. So, organizations should automate. To begin with automation, streamline time-consuming, menial and inefficient tasks that take up excessive amounts of analysts' time and can be safely and reliably automated.

Orchestration supports and optimizes the human-centric elements of cybersecurity. It creates a context for better decision-making, and it empowers analysts as they're central to security operations. It enables the incident response team by ensuring the humans in the loop know exactly what to do when a security incident strikes and have the processes and tools they need to act quickly, effectively and correctly.


Incident response solutions

Nearly three-quarters of organizations don't have a consistent, enterprise-wide cybersecurity incident response plan. Yet organizations with incident response teams and testing had an average data breach cost USD 2 million lower than those with no team and no plan testing. IBM can help orchestrate your incident response to unify the organization in the event of a cyberattack.

Incident response services

Get the security protection your organization needs to improve breach readiness with an incident response retainer subscription from IBM Security. When you engage with our elite team of IR consultants, you have trusted partners on standby to help reduce the time it takes to respond to an incident, minimize its impact and help you recover faster before a cybersecurity incident is suspected.

Security orchestration, automation and response (SOAR)

Threat detection is only half of the security equation. You also need a smart incident response to the growing volume of alerts, multiple tools and staff shortages. Accelerate incident response with automation, process standardization and integration with your existing security tools with IBM.

Managed detection and response services

With the growing number of laptops, desktops and remote workers, sophisticated cybercriminals have even more open doors to your organization. From these entry points, they can often proceed deep and unnoticed. IBM delivers a turnkey, 24x7 threat prevention, detection and fast response capability, fueled by threat intelligence and proactive threat hunting to identify and remediate advanced threats.

Protect from ransomware

Recent attacks are much more sophisticated versions of typical malware. They take advantage of leaked exploits, using strong encryption. Are you safe from ransomware attacks? IBM can help protect your organization's data from ransomware threats that can hold it hostage.

Threat intelligence services

Poor intelligence quality, lack of trust and minimal integration with other data sources and organizations create challenges in the ability to glean actionable insight to thwart cyber attacks. IBM global intelligence experts can guide clients with industry-leading analysis.

¹ "ESG Technical Review: Respond Analyst - The Virtual Security Analyst", Jack Poller, Enterprise Strategy Group, February 24, 2020, (link resides out of ibm.com).

² CyberSeek, (link resides out of ibm.com).