Enrich the Human Element in Incident Response

For decades, the cybersecurity industry has tried to remove the human element from security systems, through automation. And by and large, it’s worked well – automated prevention and detection tools (e.g. antivirus, networking monitoring, threat detection) have gone a long way in thwarting cyberattacks.

But with incident response (IR), it’s a different story.

Response is too complicated to be completely automated. Each network, attack, organisation, region, and security environment is different – and the decision-making process involved in incident response means that humans are still necessary.

It’s just the same in physical security – like in airports, for example. Technology and automation aids the security and screening processes – but during an incident, emergency response is always coordinated and controlled by people.

When creating incident response procedures, automation is a tool – and it needs to be deployed thoughtfully and carefully to speed and enrich the human response. But not replace it.

Where does automation fit into incident response?

Incident response is made up of four key components: preparation, assessment, management, and mitigation. In each phase, automation can play a critical role.

Prepare: Effective response requires provisioning for and preparing IR processes long before an incident occurs. Build out and document IR processes, practice response, and instrument the process to measure and improve response performance.

It’s also the time to build out – and, over time, increase – your automation capabilities. Start simply by automating incident creation or data collection, test these functions over and over until you’re sure your automated systems will work as desired every time. Look at the data you’re collecting. Can you do it faster, or smarter? Signal to noise can be a challenging problem.

Assess: Context is key in incident response. But for many, gathering insight about an incident involves logging into countless individual systems – a SIEM, networking monitor, or other source – extrapolating data in multiple formats, and compiling it into one. It’s a tedious and inefficient process – but it’s one that can be automated. Leveraging emerging technologies that allow you to integrate and interface with these various tools quickly, and compile information on specific incidents, can dramatically enhance your IR speed and effectiveness.

Manage: Incident response stretches across business functions – from IT and security, to legal, HR, marketing, and the C-suite. Ensuring everyone’s in the right place at the right time and knows precisely what to do is critical.

Thankfully, this task management and coordination can also be automated, systems can recognise a familiar threat and automatically launch response workflows. When dealing with substantial threats, the automation process can pass-up the decision to humans who decide how best to act.

Mitigation: Automation can be hugely helpful in increasing the speed and effectiveness of response – but it’s still human decision-making that’s most critical. IR teams can automate the process of quaranting infected machines, profiling targets, or blocking malicious IPs (and many mature IR teams do) – but it requires an extraordinary grasp on your environment, complex controls, and extensive testing to ensure your automated processes don’t inadvertently harm your business.

Leveraging automation effectively

Incident response is a continual process. Lessons learned at the completion of an incident should be used to inform and improve your preparation stage – starting the cycle all over again. Practice makes perfect – organisations can create “muscle memory” so they’re best prepared to handle the next situation quickly and effectively.

The same goes for automation – it’s all about preparation, assessment, and improvement. Identify the menial, tedious, and time-consuming tasks, and leverage automation to help make your IR team more strategic and effective responders. Then measure the impact. Work to ensure your automation processes are trustworthy and enrich your human decision-making, not play a part in designing them out.

What’s Hot on Infosecurity Magazine?