The State of IT Automation: New Pressures Invite New Opportunities
Read Report
This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies and agree to our Privacy Policy.
Solutions Overview Discover how to accelerate time to value with purpose-built solutions for every IT function.
IT Operations Management Automate infrastructure provisioning, testing, incident resolution, proactive maintenance and more!
Network Operations Management See why Resolve is trusted to execute millions of automations every day on the most complex networks on the planet!
IT Service Desk Management Automate service desk requests, change management, and incident management — and power self-service options and chatbots!
Cloud Operations Rapidly Migrate to the Cloud, Auto-remediate Server and Application Issues, Deploy and Provision Systems, and Optimize Resources to Manage Costs
Autodiscovery & Dependency Mapping Get full-stack visibility into complex infrastructure, automate dependency mapping, and ensure your CMDB is always accurate.
Collaboration: The Key to Effective Security Incident Response
One of the common themes that we run into frequently is how IT and Security teams can work together more effectively, more specifically how can we avoid or minimize the friction introduced due to various process requirements needed for security incident response.
Avoid Creating Silos
From the Security team’s perspective, the primary goal is to be able to respond to security incidents as quickly as possible. In a complex infrastructure environment, this often involves coordinating with various IT teams to gather the necessary contextual information required to investigate and analyze security incidents. Once a course of action is identified by the analyst, again coordinating with the IT team to contain and remediate the incident. This back and forth between the Security and IT teams introduces significant delays to the secuirty incident response process, and can be a source of frustrations for both teams. Here is a an all too familiar scenario:
Security Team: “Is port 22 open on the firewall?” “Where is the traffic coming from?” “Which servers are the connections going to?”
IT Team: “Wouldn’t it be great if the security analysts can look this up themselves?”
Security Team: “Can you block the outbound command and control port 9999?”
IT Team: “Did you create a ticket? I’ll get to it as soon as I’m done with this critical outage.”
Enablement through Human-Guided Automations
A key method to minimize this overhead is to empower the Security Team with automation so that they can gather the necessary information and execute containment activities themselves without having to continually interrupt the IT teams, or more importantly be given direct access to the end systems and devices.
The Resolve incident response and automation platform allows both IT and Security teams to co-develop automations that can be leveraged by both teams to accelerate the process. These automations can be triggered by events, tickets, or be embedded within guided procedures that are initiated by the security analysts as they follow the set of instructions for a specific security incident response process. This also has the added benefit of empowering new analysts without needing them to become experts across all the systems and tools.
Do we really need two ticketing systems?
Looking deeper, a big part of the friction comes from how the workflow systems and tools are actually set up. Rather than helping accelerate the incident response process, they can often be the cause of additional overhead and work for the teams.
For example, many security teams would stand up a separate ticketing/workflow system for managing and tracking security incidents. Conceptually, this introduces a separate “mental model” that reinforces the perception that Security and IT are separate silos– “their ticket vs our ticket,” where analysts are required to swivel chair between the two systems to request and coordinate various activities.
I can understand the need for segregating the access controls and data from the existing IT tickets to ensure the privacy and integrity of the investigation records. However, simply introducing a parallel ticketing system inevitably takes us back to the old siloed operations teams for network management and server management. There is a better way.
Resolve Incident Response (IR) takes a different approach where our Security Response Investigation Records “augments” existing IT ticketing rather than introducing a competing concept. Resolve specifically avoids capabilities that should be centralized within the ticketing system (such as SLAs, routing, etc…) and focuses on feature gaps that is required for effective Security Incident Response such as:
Incident Response Workflow – ability to clearly define and track the status of IR activities for a specific incident types
Process Guidance – clear step-by-step instructions for IR activities that may involve complex analysis and machine-assisted decision support
Automated Situational Awareness – security events/alerts or tickets identified as a possible security incident can trigger the execution of automation to gather contextual details to provide more information about the incident
Human-Guided Automation – security analysts can initiate automation directly from the process guidance procedure and decision trees to accelerate the investigation, containment and remediation steps
By augmenting the existing IT ticketing system, you can avoid the natural tendency to re-invent all the associated tooling, integrations and reporting that you have already invested in. All the security investigation data, evidence and artifacts, are kept segregated and secure while still referring to the same ticketing system, collaboration, coordination and workflow.
A security incident is just an incident that has been identified as security impacting and requires an additional level of process and controls. It is not an excuse for a silo.
