Building an IT incident response plan

3 Minute Read

The lock is going to get picked. Maybe not today, but it’s coming soon. In fact, it may be occurring right now… and you just haven’t seen the evidence of it yet. This scenario is playing out against some of the best cybersecurity teams on earth. That’s not a knock on you or your security team but research finds that security incidents are becoming increasingly common. What will you do when the time comes?

This was the topic of discussion at a recent panel of government security officials that included representatives from the Office of the Director of National Intelligence, the Transportation Security Administration (TSA) and others. They offered insights and lessons learned in dealing with the escalating global threat environment.

How federal government cybersecurity teams prepare for incidents

The panel discussed that it is essential to have a clear IT incident response plan in place before the trouble starts. Of course, some plans are better than others. Nearly every IT organization has some kind of incident response plan. However, for those defending the United States against state-sponsored cyber warfare, the plans are required to be much more robust.

Devising an effective IT incident response plan

What does it take to create an effective IT incident response plan? It goes far beyond just an academic exercise. It takes live practice. The Intelligence Community Coordination Center, which is part of the Office of the Director of National Intelligence, conducts cyber “war games” with its team. They simulate real cyberattacks and rehearse previously worked out responses to test reaction times and skills.

Of course, not everyone has the time and resources for this level of incident response planning but the principles involved are universal. According to the panelists, two elements most essential to effective incident response are speed and orchestration. To get ahead of a security incident, the response team has to be able to move quickly and efficiently to coordinate actions—something only possible with automation and orchestration of response workflows and systems.

Speed and orchestration are the two essential elements of an effective response plan.

Awareness is a main component of speed in incident response. The time that elapses between noticing (and correctly interpreting) an alert and acting on it can make a critical difference in outcomes.

At the TSA, for example, their security operations center (SOC) is in constant contact with peer teams across the Department of Homeland Security. As Paul Morris, CISO of TSA noted, “If something happens, we know about it fairly quickly.” His SOC claims that they can scan their systems and discover any newly identified threat on TSA systems within five minutes.

The key task of any IT response plan is orchestrating people, processes and security systems. This is a task best performed with the assistance of a specialized security automation and orchestration (SAO) tool. An SAO solution like Swimlane automates IT incident response tasks.

How security automation and orchestration solutions enable effective IT incident response

A security automation and orchestration solution can be configured to quickly execute steps in a response plan that require orchestration between systems. For instance, a security team can “teach” the SAO solution how to respond to specific types of alerts. Speed and orchestration join forces with SAO.

Imagine that a security incident and event management (SIEM) tool correlates suspicious log activities on firewalls and network appliances and sends an alert. The SAO solution can be configured to receive and react to the SIEM alert on an automated basis. It can submit the alert information to a threat intelligence platform for assessment while opening a JIRA case management ticket. It can then automatically notify the right people in real time.

Security automation and orchestration doesn’t replace team members in the IT incident response plan, but rather frees up their time for other high-level tasks.

As the panelists pointed out, though, orchestration does not take people out of the incident response workflow. Rather, security automation and orchestration frees team members for higher level tasks that require more expertise and analytical focus. The SAO solution keeps the team informed of the response plan execution steps. With Swimlane, the security analyst has a single interface presenting multiple incident case management information feeds for maximum context and decision-making efficiency.

Swimlane‘s SAO solution can be adapted to the requirements of even the most demanding IT incident response plan. Easy-to-implement, use, manage and scale, it enables a security operations team to easily leverage the capabilities of their existing security solutions. In addition to pre-built integrations with most common security and project tracking tools, SecOps teams can also quickly develop their own integrations using common scripting languages and a RESTful API.

Real-World Use Cases for SOAR e-book

Want to learn more about how the you can use the Swimlane SOAR solution in your security operations? Download our 8 Real-World Use Cases for Security Orchestration, Automation and Response e-book to see how.

Download Now

Request a Live Demo