SOC Capability Area #16) Response Action Management

#16 on our list of “Top 20” SOC Capability Areas, Response Action Management, is one of the hottest topics in cyber security operations today. Primarily, because both sides, defenders and attackers, are looking for greater efficiencies and faster response times as digital conflict continues to scale to unprecedented levels. 

Response Action Management

Before considering capabilities that support Response Actions, it is important to identify exactly who (e.g., Security Operations, Network Operations, the affected system owner, etc.) will actually take these actions. It should not be assumed that Security Operations will always take the action.

Regardless of who responds, the simplest of capabilities in this area include remote access tools (such as SSH, RDP, psexec, VNC, etc.) that support direct manual intervention. Network Operations will likely also have a range of commercial systems and network management capabilities (e.g., IPMI compliant tools such as Dell's iDRAC, HP's iLO, Oracle’s ILOM, etc.) to support direct manual action. But manual responses can quickly overload Analysts and Operators, so automation capabilities should be considered.

The “Security Automation and Orchestration” (SAO) marketplace of solutions has grown out of the need to automate vetted, pre-approved incident responses to familiar, recognizable attacks and compromises. However, there is considerable ambiguity and inflated expectations today regarding the practicality and effectiveness of such solutions. Automating security actions has been the core theme behind several earlier generations of security technologies; including vulnerability auditing and automated patching (which has evolved into DevSecOps today), signature-based anti-virus and anti-malware, intrusion detection/prevention systems (IDS/IPS), and most recently endpoint detection and response (EDR) solutions.

The need is obvious – take the human “out of the loop” to both accelerate the response (reducing Mean-Time-To-Respond or MTTR), and address significantly more issues and/or incidents per hour. However, such automation capabilities are inherently based on a set of unspoken assumptions that do not always hold true:

  • First, that these are familiar, “commodity” situations, automatically recognizable by the deployed sensors and detection capabilities (either signature or anomaly based).
  • Second, that the circumstances are well-understood in advance and false positives can be easily avoided or at least minimized.
  • Third, that an appropriate response can be identified in advance and pre-programmed into automation rules.
  • Fourth, that applying an automated response in real time is not going to result in further, more significant impact to the organization’s business and users.
  • And lastly, that Security Operations has the actual authority to decide on and apply a response.

Automated response capabilities are very useful, but are not a panacea, need regular maintenance, and are most useful for “commodity” incidents. When dealing with situations that are less familiar, involving more “novel” adversary techniques and tactics, automation becomes a great deal more challenging.

It should not be surprising that threat actors are aggressive early adopters of such automation capabilities, specifically to test their own malware and to practice their tactics against them. Some have become very effective at using both evasion and deliberate distraction techniques to subvert such automated controls to their own benefit. The “novelty” situations that such advanced attackers create often demand experienced human intervention and intuition to better comprehend what is happening and what the appropriate set of response actions should be.

Learn More

This article barely scratches the surface of the need for Response Action Management capabilities in contemporary Security Operations. But taken together with the other capability areas in this “Top 20” list, we hope to shine a light on the breadth, depth, and complexity of what is involved in building effective Security Operations today.

Contact us if you'd like help identifying and selecting Response Action Management capabilities to support your own Security Operations efforts.