As the rate of cybersecurity incidents grows, security teams are looking for all the help they can get to prevent, detect and respond to attacks. Many organizations are understaffed in the field of incident response, and according to a recent study by the SANS Institute, more than 50% of respondents stated that key impediments to effective incident response were staffing and skill shortages. With these kinds of challenges facing the security community, organizations are looking for more effective ways to address the growing number of attacks.
One way security teams can help actively defend their environments and respond to targeted attacks is through the use of incident response tools. Some of these cybersecurity tools focus on the endpoint, others are network security platforms and still others are specialized products that can analyze malware or provide automation capabilities.
There has been significant growth in integration for more streamlined detection from alerts and threat intelligence and incident response. Specialized skills and security functions, like digital forensics and malware reverse engineering and analysis, are also becoming more prevalent, along with cutting-edge techniques, like deception as an early warning and insider threat detection control. There are many commercial incident response tools available, and there are plenty of open source varieties as well. Here, we examine several incident response product categories and list examples of leading tools and open source options.
Security information and event management (SIEM) and analytics
SIEM and security analytics tools can ingest vast amounts of security, application, and operations log and event data. These incident response tools then process this data and correlate the values to provide security insight.
This article is part of
They offer real-time alerting and deep analysis capabilities, which enable security analysts to investigate specific events or series of events to help determine whether an investigation is warranted. For most security operations teams, the SIEM or analytics platform is the primary tool they use to monitor events and behaviors within the environment, as well as to analyze events and potentially initiate incident case tickets.
Exabeam Security Management Platform
Components include Data Lake, Cloud Connectors, Advanced Analytics, Entity Analytics, Threat Hunter and Incident Responder. Some of the products can augment an existing SIEM product from other providers. The suite is geared toward larger, more mature organizations and offers both on-premises and IaaS deployment options.
IBM QRadar Security Intelligence Platform
This family of products includes QRadar SIEM, QRadar Vulnerability Manager to correlate vulnerability management data, and QRadar Network Insights to add context for network flow data and user behavior analytics (UBA), forensics and automation modules. The core SIEM product is available both on premises and as SaaS.
LogRhythm NextGen SIEM Platform
Available as an on-premises appliance or cloud service, the LogRhythm platform includes options for native network monitoring, agents for integration of endpoint security events and specialized UBA functionality with deep analytics processing.
RSA NetWitness Platform
NetWitness incorporates network, logging, endpoint, UBA and orchestration components to provide a complete analysis engine. This is primarily a large-scale product for more mature enterprises with skilled and dedicated analysts. Security pros can deploy NetWitness as an appliance both on premises and in most IaaS environments.
Splunk Security Intelligence Platform
Splunk Enterprise, Splunk Enterprise Security, Splunk UBA and Splunk Phantom constitute the combined suite, but only the first three products support SIEM and analytics. Splunk designed Phantom for automation and orchestration. The Splunk suite is available both on premises and as SaaS.
Vulnerability scanning and assessment
Vulnerability scanning and system assessment tools help with cyclical updates on vulnerabilities and configuration issues that may be present with systems and applications in the environment. Vulnerability scanners also provide system inventory information, which can be invaluable to incident response teams that need to look up a system that's acting unusually or being targeted during an attack.
Today's vulnerability management products often incorporate agent-based options that continuously feed vulnerability information and system or application status back to analysts so the analysts can assess the organization's susceptibility to an attack or potential issues. While incident response teams don't often operate scanning tools directly, they rely on the data these tools provide.
BeyondTrust Retina Network Security Scanner
Retina is an appliance or software deployment that supports agent-based and agentless scanning. The product can integrate with Rapid7 Metasploit for penetration testing and includes policies that can perform asset profiling to gather personally identifiable information across enterprise environments.
Qualys Vulnerability Management (VM)
This cloud-based scanning tool incorporates agent-based scanning and monitoring and offers a rapid deployment model and flexible reporting options. Systems and applications can be continuously assessed using a large library of vulnerability checks. Enterprise security teams can integrate Qualys VM with other Qualys products for endpoint monitoring and response.
This scanning platform includes an array of vulnerability plugins and policies, flexible policy management, configurable dashboards, and a risk scoring system that prioritizes and ranks vulnerabilities discovered across the environment. The product also integrates with Rapid7 Metasploit for penetration testing.
The Nessus Professional vulnerability scanner offers a wide range of vulnerability plugins, reporting options and assessment options for on-premises and cloud systems and services. The product also integrates with Tenable.sc for additional enterprise class management and reporting.
Tripwire IP360 includes agent and agentless options for assessing and cataloging systems and applications, both on premises and in the cloud. The product offers flexible reporting options and risk-based scoring of vulnerabilities discovered and integrates with Tripwire Enterprise for change tracking and potential remediation actions.
Endpoint detection and response (EDR)
EDR tools are typically agent-based endpoint security products that provide several important security controls to analysts and incident responders. First, these tools are usually a replacement for traditional antivirus products, offering a blend of next-generation antivirus (NGAV) capabilities that combine both signature-based and heuristic analysis of endpoint behavior to prevent and detect malware. These tools can also detect nonmalware intrusions through behavior analysis. This provides analysts with granular details of the events detected, as well as system artifacts and processes. Incident response teams can use EDR platforms to access suspect systems to quickly assess and respond to unusual activity.
Carbon Black Predictive Security Cloud (PSC)
Carbon Black PSC provides security professionals with a single tool to manage instead of multiple endpoint agents and consoles. The PSC tool offers prevention capabilities, as well as in-depth forensics, threat hunting and monitoring controls that teams can use to help prevent incidents.
This platform offers a lightweight agent that's managed from the cloud. The product provides deep introspection into behaviors and unusual activity, versus solely relying on signature-based prevention and detection.
Cybereason Endpoint Detection and Response Platform
The Cybereason NGAV and behavioral detection and analytics system offers intuitive visual dashboards and controls, reporting, and antimalware and PowerShell execution protection policies.
SentinelOne Endpoint Protection Platform (EPP)
The SentinelOne EPP product includes NGAV prevention capabilities, as well as deep incident response analysis and threat hunting tools. The platform also offers remediation options and a network quarantine feature that can take systems offline to prevent further attacks.
Symantec Endpoint Detection and Response
The Symantec EDR suite integrates with traditional Symantec NGAV, including Symantec Endpoint Protection. The product analyzes attack chains that comprise more advanced threats and can be deployed as a stand-alone software agent or as a managed service. Symantec EDR also includes threat hunting and analysis of indicators of compromise.
Malware analysis and sandboxing
These products help organizations predict and eliminate malware -- including spyware and viruses -- and other malicious events before they occur. If a threat is detected, it can be isolated in a sandbox and eliminated. Some of these products use machine learning technology to examine suspicious files, to determine the malware author's intent and to better identify potential vulnerabilities -- usually, it uses machine learning in cloud-based sandboxes. These tools can also be useful in deliberate detonation of malware and to help trained analysts perform malware reverse engineering.
CrowdStrike Falcon Sandbox
Falcon Sandbox can be incorporated into the company's EDR platform but is also available as a stand-alone module for organizations that want to perform automated malware sandbox analysis. The platform is available in the cloud and on premises and includes integration with SIEM and threat intelligence standards.
FireEye Malware Analysis (AX Series)
FireEye Malware Analysis offers autoconfigured test environments for analysts to execute many types of files, including executables, office documents and webpages. The platform tracks all attempted malware behavior, including dropped files, changes to an OS, and network command and control efforts.
Palo Alto WildFire
WildFire analyzes malware and then integrates with Palo Alto firewalls to add blocking signatures dynamically. Similarly, firewalls that detect unknown malware can forward the file to a WildFire sandbox for on-the-fly analysis. The service is delivered in a cloud environment that includes static and dynamic analysis and uses machine learning for inspection of behaviors across millions of detected samples.
VIPRE Threat Analyzer Sandbox
Threat Analyzer detects which systems and networks are at the greatest risk for targeted attacks and other malware and moves suspicious files to a sandbox where it detonates them. Machine learning identifies the source of the attempted attack and helps eliminate potential vulnerabilities and data losses. The product is available via the cloud or on premises and supports routing any type of network traffic and files to the system to perform dynamic execution with minimal interaction with analysts.
VMRay offers the Analyzer malware sandbox both on premises and in the cloud and provides customizable detonation environments. The product includes several integration partners for automating analysis based on detection elsewhere in the environment and offers highly flexible APIs that can be used to customize automation actions.
Security orchestration, automation and response (SOAR)
As a newer category of tools that's gaining traction, SOAR focuses on automation and orchestration of activities tied to security operations, particularly alerting and incident response. When crafting incident response playbooks, many organizations realize that numerous activities might be better automated where possible, and that's where SOAR tools come in.
These platforms need to integrate with several other tools and controls -- primarily, event management platforms, ticketing systems, endpoint and network security controls, vulnerability scanners, malware analysis sandboxes, and cloud and virtualization APIs for software-defined infrastructure. For example, a specific alert could prompt an automated ticket to be opened with notifications, a temporary quarantine on an isolated software-defined network, or the performance of a vulnerability scan and EDR tool assessment.
With more than 200 integration connectors, analysts can use the CyOPs central SOAR platform to create playbooks and incident response workflows that incorporate event data, correlate alert triage with threat intelligence, prevent malicious content through blocking with firewalls and other systems, and initiate investigation tickets and alerts.
IBM Resilient SOAR Platform
This platform includes dynamic playbooks, which enable security teams to automatically adapt incident response processes to real-time incident conditions, providing a fast response. For full integration to other platforms, the Actions add-on helps automate incident response plans and orchestrates incident response processes and workflows. The Incident Visualization feature breaks out attack workflows in a graphical model so analysts can more easily assess and respond.
Palo Alto Enterprise
Formerly Demisto Enterprise, the product offers drag-and-drop playbooks with thousands of security actions across products, workflow logic, and manual checks and balances. The system also includes hundreds of built-in security product integrations with classification mapping and an SDK to build custom integrations. Repositories of both incidents and indicators of compromise are available natively, and case management and collaborative analyst investigations are all built in.
The Phantom platform combines security infrastructure orchestration, playbook automation and case management capabilities with an extensive library of APIs and integration partners. Phantom offers integrated Splunk threat intelligence, automated attacker lookup tools, phishing attack detection and response capabilities, and a community-driven model for new apps and integration.
Swimlane provides centralized incident tracking, data contextualization and workflow for incident triage, escalation and response based on well-defined playbooks. The product uses customized workflows for particular event types within applications, where record layouts and technology integrations are containerized. Swimlane supports host-based triage integrations with endpoint analysis tools that remotely acquire process and network connection details for the associated host.
Network intrusion detection and next-generation firewall (NGFW)
Although network intrusion detection and prevention and NGFW have been in place for several years, these are still critical lines of defense. They include controls for prevention, including blocking malicious traffic; detection, such as events and alerting feeds to SIEM and other central monitoring technologies; and the development of behavioral baselines of network traffic in the environment.
Check Point NGFW
The Check Point enterprise-class NGFW platform offers threat intelligence, user ID integration with Active Directory (AD) and other directory services, protocol inspection and application identification. Check Point NGFW includes the Check Point IPS Software Blade, which performs intrusion protection system functions for all packets traversing the system and provides frequent, automated threat definition updates.
Cisco Firepower NGFW
Cisco Firepower enterprise-grade NGFWs offer many IDS and IPS capabilities. The Firepower Next-Gen IPS capabilities are integrated into the platform, and the Cisco Talos Threat Intelligence team continuously updates signatures and detection and prevention capabilities in the system.
Fortinet FortiGate NGFW
Fortinet offers FortiGate NGFW gateways and has expanded its support to multiple public IaaS platforms, including Google, IBM and Oracle. Fortinet provides support for IBM and Oracle public IaaS cloud platforms, in addition to AWS, Microsoft Azure and Google Cloud. IDS and IPS functions and controls are built in, or a stand-alone IPS with the FortiGate IPS is available.
Palo Alto NGFW
Palo Alto NGFW platforms offer three core capability feature sets within its product lines: App-ID, User-ID and Content-ID. The App-ID application recognition engine combines application protocol behavior analysis and signature fingerprinting to detect protocols on any port. User-ID ties to AD or Lightweight Directory Access Protocol to add user context to sessions. Content-ID offers content filtering capabilities, including URL filtering and malware filtering.
Trend Micro TippingPoint
The TippingPoint stand-alone IPS platform touts ease of use, rapid threat definition updates, on-box SSL termination and inspection, and deep integration with the other products in the Trend Micro portfolio. These tools provide automated endpoint prevention and other breach detection and prevention controls.
Honeypots and deception technology
Deception tools often mimic real-world systems and assets that attract attackers. Tools in this category include multiple types of OS decoys, decoy credentials (honeytokens) for use within the deception environment, decoy documents and other information that would attract an attacker. These tools can be deployed in typical in-house networks with servers and end-user computing, cloud environments, specialized IT infrastructure, such as industrial control platforms, and payment card processing environments.
One advantage of using deception technology is that there's little chance of false positives -- anyone accessing any deception system or assets is either actively engaged in attack behavior or is intentionally or accidentally violating policy.
Deception technologies can detect numerous types of activities, including:
- Early-stage reconnaissance of users and systems;
- system or application exploitation;
- credential theft and abuse;
- lateral movement from one system to others;
- attacks against user directories and identity stores;
- passive attacks, like man in the middle and sniffing; and sensitive data access and exfiltration.
Fidelis Cybersecurity Deception
This deception platform offers two primary methods of detection: breadcrumbs on actual assets (more honeytokens and fake accounts than anything else) and inline traffic monitoring for the network. Fidelis can correlate detections with strong threat intelligence capabilities, adding another layer of reporting.
This hybrid product combines microsegmentation with some deception capabilities. When a forbidden application traffic pattern is determined based on policy definitions, the system can route attackers directly to high-interaction deception platforms. The platform offers options for physical and virtual servers, containers and cloud instances and is scalable for large environments.
Illusive offers numerous integrations, including Cisco Identity Services Engine for actual mitigation, as well as a strong partner ecosystem in SIEM, privilege management and other areas. The vendor also provides options for creating decoys and deceptions around mainframes.
The DeceptionGrid all-in-one product focuses on automated discovery in the customer's environment, followed by automated deployment and continuous refresh of lures and decoys. The product can protect numerous system and network traffic types, including the SWIFT financial network. Analysts can use TrapX to clone existing assets to create realistic full-OS decoys that contain the customer's footprint for attackers to discover.
Endpoint forensics tools have been a mainstay of incident response and forensics teams for many years. Traditionally, during an investigation, security teams may need to access remote systems, investigate suspicious or interesting artifacts, and acquire both disk contents and a full memory capture. This enables deeper forensics analysis of potential intrusions, and also presents an opportunity for evidence acquisition and storage for criminal and civil cases. Many chain-of-custody processes are built around the use of forensics tools and controls. Although there's some overlap between this product category and EDR, many organizations rely heavily on dedicated tools specifically built for forensics acquisition and analysis.
AccessData Forensic Toolkit (FTK)
FTK enables rapid assessment and searches for evidence across remote systems. The platform also supports full password recovery and cracking features during investigations where warranted and can collect and centrally store evidence from an investigation.
BlackLight can analyze computer volumes and mobile devices and will assess events for suspicious user actions. BlackLight enables users to easily search, filter and sift through large evidence data sets and can logically acquire Android and iPhone and iPad devices, as well as Mac and Windows OS. The software runs on Windows and Mac OS X.
This appliance can provide remote investigative access to Windows, Linux and Mac devices. This helps investigators acquire any evidence needed -- disk and memory -- as well as specific artifacts for analysis.
Acquired by OpenText, the EnCase product line includes EnCase Forensic and EnCase Endpoint Investigator tools for endpoints and mobile devices. These enterprise-grade products can access all types of endpoints and perform analysis and evidence acquisition in a forensically sound manner that will support chain-of-custody requirements.
X-Ways performs digital investigations and forensics evidence collection. The digital forensics analysis platform focuses on disk assessment and OS analysis and uses the company's WinHex hexadecimal editor.
Backup and recovery
While not specifically a category geared toward incident response, backup and recovery tools are critical in every organization for a variety of reasons. First, they're needed to ensure business continuity and operational effectiveness in cases of disasters or system or disk failures. Incident response and security operations teams are increasingly reliant on these tools to recover from ransomware attacks and retrieve forensic artifacts from stored backups in cases of intrusions or breaches that go back for extended periods of time. Aside from retention requirements that may be in place to meet compliance and regulatory mandates, having more backup data available often helps security professionals discover the root cause of intrusions and attacks.
This SaaS-based storage option is designed for enterprise file storage and replication and provides an automated way to safely protect user data from ransomware and other attacks. The product offers collaboration features, as well as extensive security, privacy and auditing controls.
Commvault Complete Backup & Recovery
Commvault's platform covers physical and virtual systems, databases, applications, storage infrastructure and cloud-native scenarios. It supports various models of replication, deduplication and snapshots for both virtual and hardware-based infrastructure.
Rubrik Cloud Data Management
Rubrik natively backs up data to the cloud using a scalable and rapid replication model that also includes numerous application-specific features for both on-premises and cloud SaaS providers.
Veritas Backup Exec
Backup Exec supports physical, virtual and cloud platforms. New versions of this backup and recovery platform include specific features for protecting against ransomware. Backup Exec also integrates with Azure Site Recovery to offer disaster recovery as a service.
Zerto IT Resilience Platform
This cloud-based software platform can back up data center infrastructure and end-user devices. The product offers archival options and anti-ransomware "rewind" capabilities for data replication points in time.
Note: While not listed explicitly as a category of tools, ticketing and team coordination platforms like ServiceNow, Remedy and others are critical to any mature incident response function and should be considered vital technology.