Incident response automation: What it is and how it works

What is incident response automation?

Incident response automation refers to the use of rule-driven logic, machine learning (ML) and AI to do the following:

• automatically analyze and correlate data from different sources to identify and triage incidents that threaten an organization's cybersecurity; and
• automatically complete routine, standardized tasks to expedite the incident response process and increase SecOps teams' efficiency and effectiveness.

Automated incident response technology is gaining significant traction in the enterprise security operations center (SOC). As infrastructures continue to grow in size and complexity -- with many now spanning multiple private LANs, data centers and clouds -- the data they produce grows harder to manage. Manually addressing each security alert is, therefore, inefficient and impractical, and locating the root cause of a security or performance problem is becoming increasingly challenging.

Automated incident response tools aim to find and show SOC teams only relevant, actionable alerts, suppressing those that correlate to benign activity. The technology can also use automated playbooks to resolve common, lower-risk incidents and suggest operator next steps for higher-risk cyber threats.

Incident response automation streamlines the steps necessary to recognize the following:

• a significant incident occurred;
• the incident's root cause;
• why it occurred; and
• what can be done about it.

For now, incident response automation's key benefit is to reduce alerting noise and handle basic, repetitive tasks.

What are the benefits of incident response automation?

By tapping into and analyzing the vast amounts of security and health data various network, system and security components produce, incident response automation tools offer the following benefits:

• Reduced alert fatigue. The typical enterprise SecOps team fields thousands of security alerts every day. Without the benefit of automation, security analysts can easily spend the bulk of their time investigating false positives, while critical incidents fall through the cracks.
  
  Incident response automation and ML technology can learn to recognize and automatically suppress false-positive alerts, thus significantly reducing alerting noise.
• Alert triage. After dismissing false alarms, tools then analyze, correlate and classify others according to severity. This helps streamline decision-making by flagging the most critical incidents for immediate human intervention.
• Automatic investigation and response. Some advanced automated incident response technology has functionality that moves beyond alert triage. Security orchestration, automation and response (SOAR) tools are capable of responding to incidents using policy-driven playbooks. For instance, if a system appears to have a ransomware infection, a SOAR platform might initiate an automated workflow to isolate it.
  
  These tools can also suggest response paths for SecOps pros as they work to remediate cyber threats.
• Automatic ticketing and alerting. Incident response technology can automatically open and manage tickets, as well as alert appropriate stakeholders to an incident and update them in real time.
• More effective use of human intelligence. In taking many routine, manual and repetitive tasks off security analysts' plates, incident response automation leaves them more time for advanced, high-value activities, such as responding to critical incidents and engaging in proactive threat hunting.
  
  By automatically correlating event data from multiple sources, automation also reduces the amount of human investigation required to identify an incident's root cause.
• Faster response and resolution. By reducing mean time to detect (MTTD) an incident -- and by gathering, correlating and presenting contextual information from diverse data sources at the speed of machines and at scale -- automated incident response technology positions analysts to conduct their investigations of high-risk alerts as efficiently as possible. This should, in turn, lead to a shorter mean time to repair (MTTR), reducing attacker dwell times and minimizing damage to the organization.
• Automatic case management and reporting. Manually tracking performance metrics, such as MTTD and MTTR; weaving data from multiple sources into a single case narrative; and generating incident reports are tedious and time-consuming. Automation technology gathers and presents relevant information, nearly instantaneously.
• Cost savings. Automated incident response technology can support cost savings by reducing the burden on chronically overworked and understaffed security teams, improving productivity and talent retention. Better security outcomes may also mean an organization saves money it would have otherwise lost in a serious incident, such as a data breach.

While automated problem-solving capabilities in some tools, such as SOAR, are improving, in general, they still have significant limitations. For now, incident response automation's key benefit is to reduce alerting noise and handle basic, repetitive tasks so operations teams can spend their time identifying and solving high-priority security issues.

How does incident response automation work?

Automated response technology works by ingesting, processing and analyzing huge amounts of raw data from diverse sources. These vary depending on the type of tool -- i.e., SIEM vs. SOAR -- but may include the following:

• malware detection software;
• firewalls;
• application logs;
• intrusion detection systems and intrusion prevention systems;
• identity and access management;
• external threat intelligence feeds;
• endpoint security software; and
• other third-party sources.

After analyzing the data using ML and AI, security automation technology aims to do the following:

• separate meaningful flags from false positives;
• prioritize the most significant alerts; and
• point to where in the infrastructure a problem might originate.

Incident response automation best practices

Successful incident response automation largely depends on the ability to pull relevant data streams into tools that can analyze them and provide meaningful insights.

As such, security pros must identify the following:

• which data streams the enterprise's infrastructure produces;
• which data streams its existing automated incident response tools support; and
• any untapped data streams they could add to provide optimal visibility.

In this information-gathering process, one may find some hardware and software manufacturers require the use of proprietary tools for health and security analysis and incident response automation. In other cases, teams can use standards-based telemetry, which opens the door to any number of third-party tools. The good news is manufacturers are beginning to listen to customer feedback, with many working to integrate a more standards-based approach for those that demand it.

To summarize, incident response automation best practices include the following:

• Tool selection. Select a tool that can ingest and analyze the specific forms of an infrastructure's polled, sensor-driven and telemetry data.
• Data sourcing. Pick and choose the right data sources and connect them to the automation tool.
• Manual tuning. An infrastructure is likely to produce false positives and white noise that is not meaningful in identifying root causes. Use manual tuning to eliminate these where possible.

After deployment, such tools offer numerous ways to customize the prioritization of incident alerts, such as flagging appropriate operations team members responsible for remediating a certain type of incident.

Dave Shackleford contributed to this article.