Collaboration: The Key to Effective Security Incident Response
One of the common themes that we run into frequently is how IT and Security teams can work together more effectively, more specifically how can we avoid or minimize the friction introduced due to various process requirements needed for security incident response.
Avoid Creating Silos
From the Security team’s perspective, the primary goal is to be able to respond to security incidents as quickly as possible. In a complex infrastructure environment, this often involves coordinating with various IT teams to gather the necessary contextual information required to investigate and analyze security incidents. Once a course of action is identified by the analyst, again coordinating with the IT team to contain and remediate the incident. This back and forth between the Security and IT teams introduces significant delays to the secuirty incident response process, and can be a source of frustrations for both teams. Here is a an all too familiar scenario:
- Security Team: “Is port 22 open on the firewall?” “Where is the traffic coming from?” “Which servers are the connections going to?”
- IT Team: “Wouldn’t it be great if the security analysts can look this up themselves?”
- Security Team: “Can you block the outbound command and control port 9999?”
- IT Team: “Did you create a ticket? I’ll get to it as soon as I’m done with this critical outage.”
Enablement through Human-Guided Automations
A key method to minimize this overhead is to empower the Security Team with automation so that they can gather the necessary information and execute containment activities themselves without having to continually interrupt the IT teams, or more importantly be given direct access to the end systems and devices.
The Resolve incident response and automation platform allows both IT and Security teams to co-develop automations that can be leveraged by both teams to accelerate the process. These automations can be triggered by events, tickets, or be embedded within guided procedures that are initiated by the security analysts as they follow the set of instructions for a specific security incident response process. This also has the added benefit of empowering new analysts without needing them to become experts across all the systems and tools.
Do we really need two ticketing systems?
Looking deeper, a big part of the friction comes from how the workflow systems and tools are actually set up. Rather than helping accelerate the incident response process, they can often be the cause of additional overhead and work for the teams.
For example, many security teams would stand up a separate ticketing/workflow system for managing and tracking security incidents. Conceptually, this introduces a separate “mental model” that reinforces the perception that Security and IT are separate silos– “their ticket vs our ticket,” where analysts are required to swivel chair between the two systems to request and coordinate various activities.
I can understand the need for segregating the access controls and data from the existing IT tickets to ensure the privacy and integrity of the investigation records. However, simply introducing a parallel ticketing system inevitably takes us back to the old siloed operations teams for network management and server management. There is a better way.
Resolve Incident Response (IR) takes a different approach where our Security Response Investigation Records “augments” existing IT ticketing rather than introducing a competing concept. Resolve specifically avoids capabilities that should be centralized within the ticketing system (such as SLAs, routing, etc…) and focuses on feature gaps that is required for effective Security Incident Response such as:
- Incident Response Workflow – ability to clearly define and track the status of IR activities for a specific incident types
- Process Guidance – clear step-by-step instructions for IR activities that may involve complex analysis and machine-assisted decision support
- Automated Situational Awareness – security events/alerts or tickets identified as a possible security incident can trigger the execution of automation to gather contextual details to provide more information about the incident
- Human-Guided Automation – security analysts can initiate automation directly from the process guidance procedure and decision trees to accelerate the investigation, containment and remediation steps
By augmenting the existing IT ticketing system, you can avoid the natural tendency to re-invent all the associated tooling, integrations and reporting that you have already invested in. All the security investigation data, evidence and artifacts, are kept segregated and secure while still referring to the same ticketing system, collaboration, coordination and workflow.
A security incident is just an incident that has been identified as security impacting and requires an additional level of process and controls. It is not an excuse for a silo.