12
IBM Security White paper Orchestrate incident response Six steps to outsmart cyberthreats with security orchestration and automation.
IBM SecurityWhite paper
Orchestrate incident responseSix steps to outsmart cyberthreats with security orchestration and automation.
2 Outsmart cyberthreats with orchestration and automation
Contents 3 Today’s SOCs are overburdened
4 Free your business to thrive with orchestration
5 Key tactics: Cyberattack readiness checklist
6 Making cyber resilience a reality: The six steps
10 Orchestrated incident response: The solution in action
11 IBM Security is here to help
Key points
Orchestration is an ongoing effort
Simulate, simulate, simulate
Automation maximizes people power
Effective incident response requires leadership buy-in
IBM Security 3
Today’s SOCs are overburdenedAround the world and across all markets and industries, today’s security operations centers (SOCs) are overwhelmed. Numerous factors contribute to this ubiquitous problem, but three main issues form the heart of the problem: the increasing volume of cybersecurity incidents, the widespread shortage of qualified technology professionals and increasing enterprise complexity.
It isn’t just the high-profile data breach scenarios that are cause for alarm, although these attacks are some of the most serious threats that companies face. Malware and phishing attacks, everyday challenges to effective security monitoring and regulatory and compliance considerations are just some of the top concerns that IT and security professionals struggle with.
Every day, modern enterprises must contend with an array of specific cybersecurity challenges:
• Volume of security alerts and false positives is growing.
• Analyst time is consumed by reporting and metrics• Cyberattacks are especially complex and targeted.• SOCs need to manage dozens of tools across
multiple vendors.• Incident response is still too manual and reactive• Privacy notification requirements are complex and
time-consuming.
Incident response challenges are a large part of the problem
77%Of organizations don’t have a proper incident response plan¹
57%Of security professionals say the average time to resolve a security incident has increased in the past 12 months¹
42%Of security professionals say their organizations ignore a significant number of security alerts because they can’t keep up with volume²
1.8MThe growing gap between available qualified cybersecurity professionals and unfulfilled positions by 20223
$3.86MAverage cost of a data breach4
4 Outsmart cyberthreats with orchestration and automation
Free your business to thrive with orchestrationThe good news is that as a cybersecurity leader you can start solving these critical issues for your organization today and free your business to thrive both now and for the future. You can empower your security analysts with a comprehensive strategy that puts incident response (IR) processes and tools right at their fingertips when they need it most. How? By instituting a proactive incident response process that is built on the foundation of people, process and technology, you can enable IT and security teams to:
• Access the right information quickly and make the best decisions for stopping and remediating the attacks that threaten your business.
• Leverage automation to keep up with the volume of alerts, increasing the productivity of security analysts and technologies.
• Bridge the skills gap to conquer the speed and sophistication of modern cyberattacks.
• Implement dynamic playbooks to manage different threat types with people, process and technology.
The key components of intelligent, orchestrated incident response
Security orchestration is a constantly evolving process, not an out-of-the-box product you can implement one time, flip a switch and never worry about again. However, if you take the time and effort to build your incident response strategy on the following core capabilities, you’ll have a strong foundation for defeating cyberthreats today and tomorrow, with built-in methods for fostering continuous improvement over time.
Key elements of a winning IR plan
• Orchestration and automation – Robust, dynamic incident response
playbooks that adapt in real time as incidents unfold.
– Integration of your security information and event management (SIEM), incident response platform and other security solutions to enable automated incident escalation, enrichment and remediation.
– Automation of repetitive and time-consuming tasks.
• Human and artificial intelligence – Codified expertise and intelligence
from your top security staff and experts across the organization.
– Advanced threat intelligence and artificial intelligence to enhance incident investigation, unstructured data analysis and threat correlation.
– Collaboration with external security experts to augment your team for threat intelligence, analysis and investigations.
• Case management – An established system of record for
measuring and analyzing incident response processes and performance.
– Processes for applying learnings to IR plans as needs evolve.
– Augmentation of your team’s capacity and skillsets with security services.
IBM Security 5
The outcomes of orchestration, automated incident response
Key tactics: Cyberattack readiness checklistAs you begin the journey toward a more streamlinedSOC, you may uncover numerous issues that need addressing at each phase of the cyberattack lifecycle. Before you dive into this guide, here’s a contextual overview of the key capabilities you’ll need to implement as you create a holistic defense strategy.
During an attack• Guide security analysts through a fast, complete
response and automate incident investigation and remediation.
• Apply artificial intelligence to rapidly investigate and triage threats.
• Quickly augment your team with on-demand IR experts. You need existing relationships and rapid access to the people who have the expertise to combat the threat.
Before an attack• Prepare robust and automated IR workflows
spanning people, process and technology. • Use human and artificial intelligence to identify
threats and anomalies early in the attack cycle.• Build the right teams and help those teams
develop, prepare and practice IR playbooks.
After an attack• Continually assess and refine IR processes.• Continuously tune detection mechanisms based
on lessons learned.• Perform post-mortem analyses and improve IR
processes on an ongoing basis.
6 Outsmart cyberthreats with orchestration and automation
Making cyber resilience a reality: The six stepsCyber resilience is a fundamental component of an organization’s overall security posture. So what constitutes resilience and why is it such a valuable capability? Simply put, cyber resilience is the ability to prevent, detect and respond to cyberattacks while maintaining the core purpose and function of the enterprise. In other words, a cyber-resilient organization is “one that can prevent, detect and recover from a myriad of serious threats against data, applications and IT infrastructure.”¹
External attacks
• What types of cyberattacks has your organization faced in the past? (Phishing, malware, botnet, ransomware, etc.)
• What types of threats are known to affect your industry in particular? (For example, healthcare organizations often see more ransomware attacks, and internet infrastructure companies are especially prone to DDoS attacks.)
• Are you too focused on certain types of threats and/or regulatory concerns (e.g., HIPAA or GDPR) which divert resources away from other vulnerabilities?
Privacy breach considerations
• What are your privacy obligations, including industry regulations, state/federal data breach laws and contractual agreements?
• Who needs to be notified, and what channels do you use to communicate the information?
• What is the time limit for notifications, and are you able to meet this requirement?
Step 1
Know your enemy: Understand your threats — both internal and external
Ready to be prepared, responsive and resilient?
Follow these six steps to create a customized, integrated IR strategy that makes the most of orchestration and automation, human and artificial intelligence and case management. By answering the questions and completing the tasks on these checklists, you’ll be on your way to effectively conquering the threats you face both now and in the future.
Internal priorities
• What skill sets do your security professionals currently have?
• Which skills do you need to add most urgently? To uncover gaps, it may be helpful to consider areas such as time to completion on individual tasks and workload balance.
Step Icons
IBM Security 7
• Do you have a codified IR plan, even if it is less effective than it needs to be at present?
• Do you lean on informal, ad hoc processes when unforeseen incidents occur?
• Does your security leadership prioritize incident planning, and do they involve other business units in the development and refinement of these processes?
• Do you have an established process for reviewing and improving incident playbooks?
Depending on your answers to the questions above, you may benefit from conducting an enterprise-wide workshop to overhaul your incident planning approach and establish the importance of effective IR in the minds of leaders from marketing, HR, legal, IT, customer service and other departments. External third-party entities, like business partners and vendors, can also be a part of the conversation. When all stakeholders truly understand the risks and benefits involved, they’ll be much more likely to contribute in meaningful ways to the building of a standard, documented and repeatable IR plan.
Resources like NIST, SANS and CERT can provide great frameworks for these conversations and plans, but your IR plans will ultimately need to be specific to your organization. A focused workshop can be effective for galvanizing leadership around the IR cause and getting input around their specific areas of expertise.
During an IR planning workshop, teams should work together under the guidance of security leadership to:
• Walk through specific incident scenarios.• Map out specific steps that need to be taken to resolve
an incident throughout its lifecycle.• Determine roles and responsibilities.• Identify the key technologies and channels of
communication to be leveraged during a response.• Build processes around permissions and escalations.
By the end of these exercises and conversations, your team should have well-considered, repeatable and documented plans that can be centralized, followed by anyone on your team and continually improved over time.
Step 2
Be prepared: Build a standard, documented and repeatable IR plan
N
S
W E
8 Outsmart cyberthreats with orchestration and automation
Once you have a documented plan, you’ll need to test it. And test it. And test it again. One of the most effective ways to keep IR capabilities driving forward is running simulations in a dedicated, results-driven manner.
Here are some probing questions that will help you create the meaningful simulations that will prime your team’s response to any threat that emerges:
• Do you want to practice commonly seen incidents, or prepare for something unexpected? Both types are valid to explore.
When a cyberattack is underway, you need the ability to make quick, informed decisions and adapt to ever-changing information. Because incidents rarely emerge fully formed, your IR playbooks must be built to adjust as your investigations uncover more details. The most effective incident response platforms (IRPs) offer a central hub of control that integrates with your existing security technologies, pulls intelligence from the right data sources and automatically adjusts your playbooks as you investigate, isolate and remediate.
Step 4
Put data to work: Leverage tools, intelligence and data sources
• Are your simulations thoughtful and specific? Do they include important details your analysts will need to search for? Do they force your teams to think critically as opposed to ensuring that they can simply check the required boxes?
• Are your simulations measurable? Do they have specific goals with trackable metrics, such as time to completion and level of completeness?
• Are you scheduling repeat simulations to measure improvements and regressions?
• Do your simulations involve participants from all the relevant groups across the enterprise, such as HR, legal and marketing?
• As you practice, do these departments feel more confident that they have what they need to respond when incidents arise? Are you giving actionable feedback along the way?
• Do you have a process and an effective avenue for sharing the results of post-simulation analysis across the organization?
Step 3
Keep improving: Proactively test and improve IR processes
As you build your intelligent orchestration capability, look for these key components of your IRP:
• A central hub to process, track and resolve incidents. • Seamless integration with security technologies such as
SIEM and EDR. • Enrichment of indicators of compromise (IOCs) with threat
intelligence.• Correlation of suspicious events using artifact
visualization.• Agile playbooks that update automatically as incident
information is uncovered.• Integration with ticketing systems and other technologies
as needed.
IBM Security 9
Unfortunately, some incidents often go undetected for weeks or months, giving cybercriminals an opportunity to establish a stronghold on a compromised network. The longer the infiltrators maintain access, the more difficult it becomes to isolate and remediate the threat.
One reason for this widespread problem is that many organizations rely on ad hoc processes for investigating even the most common cyber incidents like phishing attacks on employees. Because of the skills gap, organizations that actually have the right tools and technology still struggle to manage the volume of incidents, most of which pose low levels of threat.
Automation streamlines menial, repetitive tasks, which takes them off analysts’ plates so that humans can focus on what humans do best: think critically. With these tasks out of the way, your workforce is freed up to make strategic decisions about potentially catastrophic threats based on severity, context and protocol.
To find the right places to begin implementing automated solutions, the following questions are helpful:
• Which time-consuming, menial and inefficient tasks take up inordinate amounts of analysts’ time?
• Which tasks can most safely and reliably be automated?• In which areas can you script manual actions while still
keeping the necessary human decision-making and approval involved?
Step 5
Get lean: Streamline incident investigation and response
Once you pinpoint the initial areas where automation will be most impactful, you can use simulations and analysis to test the waters, make adjustments and then finally flip the switch for full automation in key areas.
Step 6
Come together: Orchestrate across people, process and technology
If you’ve completed the previous five steps, you now have the basis for an IR strategy that spans the foundational pillars of people, process and technology. To sum up, here are some key questions to help you stay focused and continue improving your ability to respond to incidents effectively across your enterprise.
People
• Have you ensured your IR team is well-coordinated and well-trained?
• Do they have the right skills to address all aspects of an incident’s lifecycle?
• Do they have the means for collaboration and analysis?
Process
• Do you have well-defined, repeatable and consistent IR plans in place?
• Are they easy to update and refine?• Are you regularly testing and measuring them?
Technology
• Does your technology provide valuable insight and intelligence in a directed, actionable manner?
• Does it enable your team to make smart decisions and quickly act on those decisions?
10 Outsmart cyberthreats with orchestration and automation
Case study: How a pharmaceutical leader’s four global security teams work smarter, not harder
Orchestrated incident response: The solution in action
With the growing number of cyberattacks and increasingly complex IT environments, an intelligent incident response plan is more than just a set of instructions; it’s a dynamic foundation built on the alignment of people, process and technology. The result? Faster, smarter and more comprehensive incident response.
The challenge
The story of one IBM Resilient customer illustrates this point. The customer, a global pharmaceutical organization, faced a unique challenge: its four security teams around the world were managing enterprise-wide incidents with different processes. A new corporate policy was implemented to ensure correct handling of incidents by requiring the teams to be on the same system. Their previous response tool was not flexible enough to orchestrate the four teams and meet this request.
Lack of planning and orchestration led to a failed incident response that drew attention to the teams’ disorganization. Each of the four teams responded to a privacy incident simultaneously, and each team gave different recommendations: restrict permissions so only forensic had access, don’t do anything, pull the site down or delete the files. The responsible party simply followed the first recommendation he received instead of considering each one. This disconnect made everyone else’s job harder and more complicated, and the incident was not resolved efficiently.
The solution
To fix the problem, the security team chose the IBM Resilient Incident Response Platform (IRP) to fully orchestrate their response. With 15 to 30 incidents to manage per day day — approximately 5,000 total that year — the four teams were routinely out of sync. The IBM Resilient IRP allowed these security teams to connect the humans in the loop with existing technologies and to create specific playbooks for incidents. Through Resilient, this organization was able to fully orchestrate the response process.
Orchestrated response to 15 - 30 incidents per day 5,000 incidents per yearThe results
Since implementing the IBM Resilient IRP, the customer has not only gained significant efficiencies when responding to incidents, they’ve also mitigated risks associated with manual user error. Resilient helps cut down on spelling mistakes and other important tactical concerns. The platform also gives their management sharper, more immediate visibility into the response process. The customer has also been able to leverage 10 key security tools that integrate with IBM Resilient, which has further streamlined the overall approach to keepingthe organization secure in the face of threats.
10 key security tools integrated into the IR platform
All in all, the security team was able to cut a string of processes that once took 85 minutes down to just one or two minutes. Today, with orchestrated incident response, the organization’s security teams continually create synergies from the organization’s collective experience and intelligence.
85-minute response time reduced to1 - 2 minutes
IBM Security 11
IBM Security is here to help IBM Security helps you build an intelligent incident response plan with a unique combination of products and services:
• IBM Resilient: The industry’s leading orchestration and automation platform.
• IBM QRadar: Advanced security analytics and Watson AI.• IBM X-Force® Incident Response and Intelligence
Services (IRIS): World-class security expertise.
The IBM Security approach also integrates with a wide variety of offerings and platforms as well, so it’s easy to implement into your existing security ecosystem.
Please Recycle
© Copyright IBM Corporation 2018
IBM Global Services Route 100 Somers, NY 10589 U.S.A.
Produced in the United States of America November 2018 All Rights Reserved
IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml Other company, product and service names may be trademarks or service marks of others.
References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which IBM operates.
Sources¹ 2018 Ponemon Institute Study on the Cyber Resilient Organization
² Security Alert Overload Threatens to Bury Security Teams
³ Frost & Sullivan, The 2017 Global Information Security Workforce Study: Women in Cybersecurity
⁴ 2018 Ponemon Institute Cost of a Data Breach Study
⁵ IBM Resilient: Intelligent Orchestration
6 IBM Study: Hidden Costs of Data Breaches Increase Expenses
240-21724-USEN
For more information, contact your Zones account manager, or call 800.408.ZONES.
