July 12, 2018 • Resolve Staffer

It doesn’t matter if you lead the IT, Network, or Security operations team for your organization, one thing is for certain: staffing resources are scarce and the demands on your team are growing daily. How is your Incident Response plan keeping up with this demand given staffing shortages?

Automation and orchestration technologies are evolving to meet the promise of working smarter, faster and more efficiently, despite the limited resources your team might be operating under. These technologies help lean teams prioritize and manage the manual, tedious, and time consuming response of alerts coming in across the entire enterprise. And, since incident response and resolution often require members of different departmental teams, intelligent use of automation orchestration can control the inefficiencies that would otherwise set in when multiple resources and teams try to investigate and remediate incidents.

Even with the growing necessity – and understanding – of the benefits automation and orchestration can bring to an organization, there’s are common questions that remain unanswered for everyone from the CIO to a level 1 analyst:

  1. Does everything that is going to be automated have be automated at once?
  2. And, does the full process need to be fully documented before there is a benefit to automation and orchestration?

Your security operations team ready to take an agile approach to security incident response? Watch the webinar now to see how.

Trying to automate every incident and every step in your incident response workflow is as realistic as running before you can sit up. So, what is the most effective way to incorporate automation and orchestration into your organization? Take a bite-sized approach and evolve your incident resolution process as you go. There’s no need to apply the technologies to every step in a process or use case – you can be selective about what’s most pressing and impactful to your business or what initiatives matches best with your goals or the entity’s priorities.

The 3 Stages of Evolution for Effective Incident Resolution

Even embracing the idea of applying automation and orchestration with a staggered approach requires further guidance. Here are three ways to implement a bite sized approach to automation:

Competition: Just Get Started

Common sense wins here. To get started, you need to just start, which means you have to think about what’s going to bring about not just quick results but results that are most advantageous to your organization. Answer the following questions to find the map that says, “Start Here”:

  • What are your top business drivers and priorities?
  • What’s driving your strategies right now? Is it the need for risk management, overall growth, stronger ROI, adherence to regulatory concerns like GDPR?
  • What are the metrics that matter? Could it be an increase in the number of incidents investigated, for instance? Improved response time and MTTR? Cost management?

Selection: Analyze Your Incidents

Once you’ve started in a logical way, you’ll want to address those incidents with the highest impact, those most frequently encountered, those that take the longest to investigate and respond to, or a combination of thereof. Set aside the top 5-10 incidents or use cases in those categories and begin your analysis. You’ll need to know which vendors and what type of systems are involved for these use cases. The more complex use cases will touch more systems as well as more teams, which brings us to the next step.

Variation: Take a Multidisciplinary Approach

Incident response shouldn’t be performed in a vacuum. Even though our departments tend to work in silos, we’re much more effective if we take more holistic approach to incident resolution.

After identifying the systems and assets affected by each use case, you’ll need to find their owners and work with them on the best ways to automate certain steps within each process. Cross-functional teams that understand each other’s workflows and have open conversations about goals and the most efficient methods of responding are those that will resolve an incident the most efficiently. Make sure various teams are sharing the needed information required to effectively reduce risk and accelerate resolution.

Security Incident Response reaches beyond the SOC to achieve resolution. Ready to work together? Read the White Paper now.

What’s Next?–Keep Evolving!

When evolving your incident resolution process, focus on competition of automation, selection of what to automate, and the variation of departments affected. Taking a bite-sized approach to automation and orchestration means you can get value from enterprise-wide disciplines immediately, giving you opportunity to further refine them over time as you learn more about the uses cases, incidents and actions that need to be taken. Gradual, focused implementation lets you educate your team and course correct as needed. Soon you’ll be able to leverage your new best practices and processes across the organization for the ultimate orchestration and automation benefits.

Resolve Staffer

About the Author, Resolve Staffer:

This post was written by one of the awesome contributors on the Resolve team.