Proactive Incident Response

As a Boy Scout, you’re trained to be prepared – always in a state of readiness in mind and body to do your duty. And for many of us in cybersecurity, a sense of duty is what drew us to the industry in the first place. What happens when the mind and body are at the ready, but you don’t have the right approach or tools to carry out your duty as you know you can and should?

Fifty-nine percent of incident response (IR) pros say the organizations they work with follow a reactive approach to IR, according to the recent Quarterly Incident Response Threat Report (QIRTR) from Carbon Black. It’s awfully hard to truly be prepared with a reactive approach…you have to wait for the event to happen first!

The result of this approach is that security operations teams find themselves on their heels when a serious incident strikes. In those instances, mistakes are more likely to be made and response is likely to take longer than necessary.

As organizations evolve to take a more proactive approach to incident response, security orchestration and automation platforms are a good option for creating the foundation and structure necessary for effective and efficient IR.

Effective Incident Detection Leads to Decisive Incident Response

Before your SOC can set its incident response process into motion, there needs to be an effective method to accurately identify real threats. The average SOC gets thousands of alerts per day, and weeding out false positives to focus on actual threats can be challenging. With a security orchestration platform in place, your ecosystem of security technologies can work together to deliver vital context that lets your team know where their focus is most needed.

As an example, you can use your EDR solution to help diagnose and triage incoming SIEM alerts through context that answers some key questions:

What is the endpoint’s role in the organization?
Where is located?
Is the sensor enabled?
What is the OS?
Is the host virtualized?

With security orchestration and automation, these crucial details are automatically gathered and presented to your security team, enabling them to assess the priority of an alert, quickly close false positives and clearly identify which security events would trigger applying your incident response process. This ultimately helps drive down mean time to detect (MTTD) which, when combined with a proactive incident response plan will also lead to a faster mean time to respond (MTTR).

Applying Security Orchestration for Proactive Incident Response

The QIRTR identifies six steps for taking a more proactive approach to incident response. Of those security orchestration has a significant impact on the first four:

Have an incident response plan in place
Communicate and notify
Know your legal requirements
Visibility is key
Hunt quietly
Regular checkups + multi-factor authentication

Let’s take a closer look at each.



Proactive incident response plan

For effective incident response – your entire security team needs to know what steps to take A and when. This means having a clear, documented plan that is periodically tested through simulations to assess effectiveness and continuously improve.

One of the key benefits offered by security orchestration platforms is the ability to codify your incident response plans into consistent, repeatable playbooks. This eliminates reliance on tribal knowledge and allows for the application of automation. Security incidents are stressful enough for SOC teams who are prepared and on the same page, let alone those who start from scratch with every incident. Playbooks provide security teams with a single source of truth to turn to in this high-pressure situation.

Security orchestration and automation solutions can also act as a training platform and test bed to run simulations and evaluate your processes before encountering a live incident.


Managing an incident necessitates identifying and informing the right stakeholders to bring relevant parties to the table quickly. Many security orchestration platforms can act as a central workbench, or hub, for SOC and incident response teams. Working from a single platform that can also provide the necessary auditing and documentation proactive incident response truly demands helps facilitate the collaboration needed to contain incidents, coordinate the team and allocate resources.

Additionally, some platforms have dedicated war rooms that can be used to include stakeholders outside of security operations – like legal, HR and corporate communications – to manage incident response holistically across the entire organization.

Security orchestration incident response war room


GDPR, state-specific guidelines and compliance regulations add a layer of complexity for security operations organizations. Building the necessary reports to satisfy these requirements can be time-consuming and takes analyst resources away from the vital work of addressing future threats.

Because security orchestration gives your team a complete picture of an incident, it can also help your team do the necessary postmortem and reporting to satisfy legal requirements. Some security orchestration and automation platforms offer automated reporting that provides a snapshot of the security incident as well as a summary of the playbooks applied and remediation steps taken.

And, with those collaboration capabilities mentioned before, it’s easy to provide your legal and GRC stakeholders real-time visibility of an incident and receive their inputs to influence and inform decision making in an audit-friendly way.


IT environments are notoriously complex and many organizations do not have a reliable view of all the assets they manage and secure. Security orchestration serves an important unification function across your ecosystem of security tools, and can be the key to having clear visibility and context as you respond to incidents. Security orchestration platforms lend visibility in a variety of ways:

Looking at other alerts that may have relevance to the one currently under investigation
Providing clear intelligence to help understand bigger-picture indicators as well as external context
Providing clear context for your assets, user accounts, IOT devices and more
Understanding past occurrences that can inform the current alerts being worked

Utilizing all available information and having it presented to analysts in a clear, usable way ensures that the security team has all the data needed to perform deep analysis and determine the best incident response approach rapidly.

By channeling our inner Boy Scouts and taking a more proactive approach to incident response enabled by security orchestration, we can help our security operations teams more quickly, effectively and consistently identify and respond to threats.

A version of this piece was originally published on the Carbon Black blog.