The role of automation in incident response
John Bruce, CEO & co-founder, Resilient Systems
Faster response can make the all the difference when faced with a cyber threat. Getting there is an emerging priority for cybersecurity professionals, and organisations are still working to develop an expertise and develop best practices. Automation is becoming a trend as organisations see it as a way to become faster – but there are limits on using automation in IR.
One reason organisations struggle with IR is that it differs greatly from prevention and detection – two technology-based processes. With prevention and detection, organisations buy world-class tools to in many instances replace employees from security process as much as possible.
Incident response is a different story.
A key difference in IR is that automation is not the goal – but an accelerator to rapidly achieve the goal of responding intelligently in record time. Human involvement is critical. The complexity of IR demands human decision-making: once a breach has taken place, the implications move beyond the network into legal ramifications, customer relations, marketing, and even board-level decisions.
Ultimately, it’s the same as physical security. Take airports, for example: prevention and detection is largely managed by technology such as metal detectors – but if there is an incident, emergency response is always coordinated and controlled by people, with technology playing a complementary role.
When creating IR procedures, automation is a tool. It needs to be deployed thoughtfully and carefully to speed and enrich the human response – not replace it. There are four components of incident response – preparation, assessment, management, and mitigation – and, when used appropriately, automation can play a critical role in each phase.
Preparation
Effective response requires provisioning for and preparing IR processes long before an incident occurs. Businesses should build out and document IR processes (playbooks), practice response, and orchestrate the process to measure and improve response performance.
It’s also the time to build out – and, over time, increase – automation capabilities. Organisations should start simply by automating incident creation or data collection, and test these functions over and over until they’re sure the automated systems will work as desired every time. Look at the data you’re collecting. Can you do it faster or smarter?
Assessment
Context is key in incident response. But for many, gathering insight about an incident involves logging into countless individual systems – a SIEM, networking monitor, or other source – extrapolating data in multiple formats, and compiling it into one report. It’s a tedious and inefficient process – but one that can be automated. Leveraging emerging technologies will empower security teams to integrate and interface with these various tools quickly and compile information on specific incidents can dramatically enhance IR speed and effectiveness.
Management
Incident response stretches across business functions – from IT and security, to legal, HR, marketing, and the C-suite. Ensuring everyone’s in the right place at the right time and knows precisely what to do is critical.
Thankfully, this task management and coordination can also be automated to a certain extent as systems can recognise a familiar threat and automatically launch response workflows. When dealing with substantial threats, the automation process can pass the decision to humans who decide how best to act.
Mitigation
Finally, this is where the human factor is irreplaceable. Automation can be helpful in increasing the speed and effectiveness of response – but it’s still human decision-making that’s most critical. IR teams can automate the process of quarantining infected machines, profiling targets, or blocking malicious IPs (and many mature IR teams do) – but it requires the human mind to put it all in context, grasping the environment, complex controls, and extensive testing to ensure that automated processes don’t inadvertently harm your business.
The nature of incident response means that it is not a wholly technological process – the best practice for incident response is to align people, process, and technology. IR teams must work to ensure that automation processes are trust-worthy and enriching human decision-making, not designing them out.