At #14 on our list of “Top 20” SOC Capability Areas are Workflow capabilities for managing Incident Response; including documentation, tracking, escalation, collaboration, and integrated search. Basic workflow is the foundational capability for incident response, and more advanced digital forensics (DFIR), so we treat this as an independent topic area. (The complex topic area of Digital Forensics is discussed separately.) Larger, more established Security Operations teams eventually demand more advanced Case Management capabilities, which we’ll cover in a follow-on article.
This capability area should be very familiar to even those practitioners that are completely new to the world of Security Operations. The excrement has hit the rotary ventilator (an incident has been detected) and there’s an immediate sense of urgency to initiate a response.
It’s worth acknowledging that in most environments events and alerts occur literally all day, every day that could initiate an "incident". It is often difficult and time consuming to determine which are truly urgent, which can wait, and which can be ignored. The decision support capabilities described in previous articles will help to prioritize which incidents get attended to first, or at all. But once an incident (even a simple vulnerability) has been detected, some type of formal incident response workflow will likely be initiated.
New Security Operations teams typically begin here with a traditional set of “Ticketing” capabilities to support identification/labeling of the event, to allow assignment and/or escalation of the event, to capture specific details related to the event, to (automatically) identify potential business impacts of the event, to (automatically) identify relevant Countermeasures that may be applied, and to track any progress as the workflow and associated response actions continue to unfold over time. Just getting started, many teams begin by using spreadsheets and templates to track their growing list of incidents. While expedient, and cheap, most teams will out grow this file-based approach very quickly. The most common next step is to simply use the organization’s Help Desk solution for managing the fundamental workflow of incident response.
However, traditional Help Desk ticketing applications eventually prove less than effective at supporting the broad and highly dynamic Collaboration demands that more mature Security Operations workflows have. This is where teams begin to look at more purpose-built Case Management systems that handle incidents like complex investigative Cases. A recent trend has been to introduce chat solutions to simplify and accelerate collaboration across the team, as well as with non Security Operations staff.
The next major hurdle that teams typically run into is the need for Integration of the many independent databases and forensic analysis tools required to support the mainstream workflow of incident response. This has given rise to a large, but niche commercial marketplace of solutions; as well as a range of mature and feature-rich open source solutions. The broad adoption of chat-based collaboration has given rise to chatbot technology that essentially provides an almost seamless chat-based interface to incident creation, tracking, and to the query/search front ends of many of these databases and DFIR tools. The dynamic chat collaboration brings this chatbot approach a step beyond simply using native CLIs from within scripts.
Today’s market landscape of both open source and commercial IR workflow capabilities provide Tier 1 Analysts with most of this, with the notable exceptions of automated business impact assessment, and automated countermeasure identification and evaluation. The costly and painful business challenges of Analyst ramp-up time, burnout, and turnover could all be reduced to some extent if IR capabilities provided features to support immediate and automatic business impact and countermeasure identification and evaluation.
This article barely scratches the surface of the need for Incident Response Workflow capabilities in contemporary Security Operations. But taken together with the other capability areas in this “Top 20” list, we hope to shine a light on the breadth, depth, and complexity of what is involved in building effective Security Operations today.
Contact us if you'd like help identifying and selecting Incident Response (IR) Workflow capabilities to support your own Security Operations efforts.