Incident response can feel like a constant uphill battle, especially for those analysts who are on the front lines of the organization’s response, struggling every day to protect the organization’s resources and minimize risk from any potential security events. While there are some inherent challenges in incident response that will exist no matter the circumstances, it is the responsibility of security managers and executives to reduce or remove impediments to the incident response process as much as possible.

The goal of reducing or removing these impediments is two-fold. First and perhaps most obvious, any impediment means that the incident response process will be less effective in mitigating potential security incidents. This translates directly to incidents becoming more serious breaches and increased loss from these events. Second and equally important is job satisfaction for analysts. Incident response analysts typically possess a high drive and passion for their chosen career. Not being given the proper tools to perform a job can be demoralizing and cause the types of analysts you really want on your team to look elsewhere for career satisfaction.

With competition for skilled analysts as strong as ever, this is a real concern. This year’s SANS Incident Response Survey asked respondents several critical questions. The one most critical to our topic today was “What do you believe are the key impediments to effective IR at your organization?” Unfortunately, the responses to this question continue to follow trends and similarities seen year after year. The top five impediments listed by respondents were:

What do you believe are the key impediments to effective IR at your organization? [i]

Shortage of staffing and skills - 56.8%

Lack of budget for tools and technology - 48.2%

Poorly defined processes and owners - 45.7%

Organizational silos between IR and other groups or between data sources and tasks - 28.6%

Lack of integration with our other security and monitoring tools - 26.6%

There are of course ways and means to overcome these challenges, and organizations today are increasingly turning to the capabilities of Security Orchestration, Automation and Response (SOAR) technology to help them. The good news is that DFLabs’ solution, IncMan SOAR, is purpose-built to solve these exact challenges, and enables security operations and incident response programs to tackle security events more efficiently and effectively than ever before.

Let’s take a look at these top five challenges in more detail and how a SOAR solution can help.

Shortage of staffing and skills

While IncMan cannot physically clone analysts, it can reduce the workload placed on analysts and provide assistance to entry-level analysts while they continue to build their skills. Automating and orchestrating the repeatable, mundane tasks which analysts must perform on a constant basis frees up analysts' time, allowing them to focus efforts on those tasks which actually require human intervention. As operations become more efficient, it allows security teams to move from a reactive, defensive approach to a more proactive and offensive approach to security.

Lack of budget for tools and technology

Automation and orchestration are about efficiency; the dramatic rise in its use is directly due to the fact that the processes we have been using for years have become increasingly inefficient and ineffective in today’s environment. Continuing to remain on the path of completely manual activities has forced organizations to spend more money to compensate. Using existing human and technology resources more effectively through automation and orchestration allows organizations to achieve better overall results in a much more cost-effective way, allowing financial resources to be dedicated to other security projects.

Poorly defined processes and owners

Too many organizations follow loosely defined processes, or worse, each analyst follows their own process. One of the core components of automation and orchestration is defined workflows used to respond to security events. IncMan’s Runbooks allow organizations to define and codify their existing processes into standard responses across the organization. Whether the response is completely automated, completely manual, or a combination of the two, each security event will have a clearly defined process to follow with all stakeholders aware of their roles. IncMan also includes a completely customizable Knowledge Base section which allows organizations to define, among many things, other processes or procedures.

Organizational silos between IR and other groups or between data sources and tasks

Collaboration and free flow of data are vital to successfully responding to a security incident. IncMan allows all users to collaborate during the response process and access incident data while enabling incident managers to enforce strict role-based access controls for all participants. Users can access the intelligence gathered by other analysts, view the progress of all incident tasks, and even communicate in real-time using IncMan’s internal messaging. When providing stakeholders direct access to IncMan may not be possible, IncMan also integrates with a wide variety of third-party ticketing, notification, and collaboration solutions allowing bidirectional communication through these products.

Lack of integration with our other security and monitoring tools

Integration is at the heart of automation and orchestration. IncMan provides users with the ability to integrate disparate technologies, as well as operationalize the integrated data to enable a more effective response. The Open Integration Framework (OIF) permits bidirectional integration with almost any solution, including non-security solutions. The OIF even allows users to create integrations of their own when an integration might not be available from DFLabs, such as when an integration is needed with a home-grown application. IncMan does not just gather data from third-party solutions; through the use of automated Runbooks, IncMan allows data to pass seamlessly between third-party solutions to effect the most efficient response to an incident possible.

While incident response will never be a frictionless process, there are many things we can do to minimize impediments and provide analysts with the resources they need to be successful. Year after year, the same challenges are expressed by analysts across all verticals. While we have made many important strides in the past several years, it is clear that our current approach is not adequate to completely solve the challenges we are facing.

Register for our upcoming webinar on the topic “Tackling the Top 5 Incident Response Challenges with SOAR” on August 20 or schedule a personalized demo with DFLabs today to see how IncMan can help your organization solve some of these pervasive problems.

[i] Bromiley, M. (2019). SANS 2019 Incident Response (IR) Survey: It’s Time for a Change (p. 10, Rep.). SANS™ Institute.

Please enable JavaScript to view the comments powered by Disqus.