One of the common themes that we run into frequently is how IT and Security teams can work together more effectively, more specifically how can we avoid or minimize the friction introduced due to various process requirements needed for security incident response.
From the Security team’s perspective, the primary goal is to be able to respond to security incidents as quickly as possible. In a complex infrastructure environment, this often involves coordinating with various IT teams to gather the necessary contextual information required to investigate and analyze security incidents. Once a course of action is identified by the analyst, again coordinating with the IT team to contain and remediate the incident. This back and forth between the Security and IT teams introduces significant delays to the secuirty incident response process, and can be a source of frustrations for both teams. Here is a an all too familiar scenario:
A key method to minimize this overhead is to empower the Security Team with automation so that they can gather the necessary information and execute containment activities themselves without having to continually interrupt the IT teams, or more importantly be given direct access to the end systems and devices.
The Resolve incident response and automation platform allows both IT and Security teams to co-develop automations that can be leveraged by both teams to accelerate the process. These automations can be triggered by events, tickets, or be embedded within guided procedures that are initiated by the security analysts as they follow the set of instructions for a specific security incident response process. This also has the added benefit of empowering new analysts without needing them to become experts across all the systems and tools.
Looking deeper, a big part of the friction comes from how the workflow systems and tools are actually set up. Rather than helping accelerate the incident response process, they can often be the cause of additional overhead and work for the teams.
For example, many security teams would stand up a separate ticketing/workflow system for managing and tracking security incidents. Conceptually, this introduces a separate “mental model” that reinforces the perception that Security and IT are separate silos– “their ticket vs our ticket,” where analysts are required to swivel chair between the two systems to request and coordinate various activities.
I can understand the need for segregating the access controls and data from the existing IT tickets to ensure the privacy and integrity of the investigation records. However, simply introducing a parallel ticketing system inevitably takes us back to the old siloed operations teams for network management and server management. There is a better way.
Resolve Incident Response (IR) takes a different approach where our Security Response Investigation Records “augments” existing IT ticketing rather than introducing a competing concept. Resolve specifically avoids capabilities that should be centralized within the ticketing system (such as SLAs, routing, etc…) and focuses on feature gaps that is required for effective Security Incident Response such as:
By augmenting the existing IT ticketing system, you can avoid the natural tendency to re-invent all the associated tooling, integrations and reporting that you have already invested in. All the security investigation data, evidence and artifacts, are kept segregated and secure while still referring to the same ticketing system, collaboration, coordination and workflow.
A security incident is just an incident that has been identified as security impacting and requires an additional level of process and controls. It is not an excuse for a silo.
Catch up on some of our most popular Automation and AIOps resources from 2020.