This post was originally published on the Recorded Future blog on May 30, 2018.
Incident response is, by definition, a reactive discipline.
After all, you can’t respond to an incident that hasn’t happened yet.
But this reactivity can (and often does) go much too far. An incident response team that becomes completely reactive can easily become overwhelmed by the sheer volume of incoming security alerts.
When this happens, the team is no longer able to respond promptly to serious threats, and a great deal of cyber risk goes unmanaged.
Thankfully, there’s a better way.
It Doesn’t Start With an Alert
Think about the typical incident response lifecycle. For most organizations, it looks something like this:
- Incident detection: Typically from a SIEM, EDR, or some similar technology.
- Discovery: Finding out what’s happened and deciding how to respond.
- Triage: Taking quick action to block the threat and minimize damage.
- Remediation: The main body of “fixing work,” repairing damage, removing infections, etc.
- Push to BAU: Passing the incident on to “business as usual” teams for final actions.
Do you see the problem here?
This process is practically designed to be completely reactive. As soon as the volume of incoming alerts or incidents reaches a certain level, stress is guaranteed.
To ensure your incident response team doesn’t become overwhelmed, two functions are necessary:
- Preparation — If an incident response team can identify the most commonly faced threats in advance, they can develop strong, consistent processes to cope with them. This preparation is essential because it dramatically reduces the time is taken to contain individual incidents, guards against mistakes, and frees up analysts to cope with new or unexpected threats when they arise.
- Prioritization — All threats are not made equal. Incident response teams must understand which threat vectors pose the greatest level of risk to their specific organization so they can allocate their time and resources accordingly.
The Intelligent Response
To effectively prepare for and prioritize security incidents, incident response teams need to answer a series of questions. For starters:
- Which threats are most likely to arise?
- What could be the impact of each threat vector on our organization?
- How can we respond effectively to each threat vector?
- What technologies and processes need to be in place to minimize cyber risk?
- How will we know when new threats or vulnerabilities arise and what risk they pose?
To answer all of these questions, one key ingredient is required: intelligence.
Threat intelligence helps incident response teams develop a detailed understanding of the threat landscape, and how their organization fits into it. In combination with internal data, this helps them map out the most common or likely threats to arise, along with their potential impact. In turn, this facilitates the development of a strong response infrastructure and repeatable processes.
At the same time, powerful threat intelligence provides insights in real-time, enabling incident response teams to make informed decisions on how to respond to the latest cyber threats and trends.
Put simply, threat intelligence helps incident response teams be more proactive in their response — handling incidents faster, more effectively, and in order of the risk they pose.
For any discipline that requires personnel to make regular decisions, it’s important to keep in mind the factors that can help or hinder the decision-making process. All three of the following factors can have a profound effect on the quality and timeliness of any decision:
- Lack of empirical data
- Too much poor quality or irrelevant data
- Decision fatigue
For incident response, it’s easy to imagine how the existence or lack of these factors will play out. When analysts are swamped with huge quantities of data and forced to separate the relevant from the useless on their own (as they often are), decisions will inevitably be slow, and sometimes inaccurate.
But that isn’t the analysts’ fault.
If those same analysts were provided with more accurate, relevant, and concise intelligence, they would consistently make faster, better decisions.
And this phenomenon isn’t unique to incident response. Give those same advantages to your security operations personnel, vulnerability management team, or even your security leaders, and they will, in turn, make faster, more informed decisions with less decision fatigue.
To find out how threat intelligence can empower personnel throughout your security function, download our free white paper, “Busting Threat Intelligence Myths: A Guide for Security Professionals.”
SP6 is a Splunk consulting firm focused on Splunk professional services including Splunk deployment, ongoing Splunk administration, and Splunk development. SP6 has a separate division that also offers Splunk recruitment and the placement of Splunk professionals into direct-hire (FTE) roles for those companies that may require assistance with acquiring their own full-time staff, given the challenge that currently exists in the market today.