Why the quickest response is not always the best in cybersecurity

The need for fast incident response is a given. No industry professional would deny how critical a rapid response is when dealing with a cyber threat and an incident. However, it is equally important to understand that the quickest response is not always the best in cybersecurity. Security operations centers (SOCs) and organizations must factor in other variables, too, when preparing for the inevitable, as recent cyber stats suggest.

What are the constituent elements of a robust incident response besides speed? Read on for practical pointers to help you achieve your organization’s incident response goals.

What makes a good incident response plan?

Cyber attacks and incidents inevitably happen. No one is immune to them.

Regardless of whether they are internal or external — network security breaches, ransomware attacks, accidental sensitive data exposures, or disgruntled former employees — threats lurk in the shadows of any organization’s daily routines. The best practice is for you to prepare well for the unavoidable.

In practical terms, preparation means developing an incident response plan that includes solid cyber security risk management and well-structured standard operating procedures.

A good incident response plan needs to:

• Be manageable and actionable

• Let you address different problems and cyber risks

• Prescribe the use of only the services and technologies suitable for your organization

• Account for compliance, policy, and general legal demands

• Set specific roles for organization members

• Assign the right people in the right places

• Enable and foster high-quality communication between an organization’s members

Regular drills and tests allow everyone involved to internalize your plan’s principles, spot any shortcomings, make adjustments, and achieve the necessary readiness for cyber attacks and incidents.

Standard operating procedures: what are they, and how do they help?

What are standard operating procedures (SOPs)?

Standard operating procedures are structured processes or workflows optimized for anticipated cyber risk scenarios. They lay out the details of a specific course of action organizations must follow closely to ensure the success of their incident response strategy.

Cybersecurity professionals are not the only ones responsible for dealing with a cyber attack or, for that matter, any other type of security or cyber incident. When a security incident occurs, the entire organization must work together in a coordinated way.

SOPs do precisely that — enable everyone to be on the same page and understand their role in coordinated cybersecurity threat response. In addition, they cover compliance and legal requirements, which is essential for regulated industries.

How are SOPs related to an incident response plan?

SOPs are variations on a theme — blueprints for implementing your incident response plan in various concrete scenarios. That is why security solutions such as security orchestration, automation and response (SOAR) emphasize elaborate SOPs so much.

Incident response and, by extension, SOPs require speed and efficiency. Two key features that help you to achieve these objectives are incident response playbooks and integrations. You can considerably decrease incident response time and increase incident response efficiency by:

• Automating workflows via playbooks

• Adding, customizing, and using external tools, i.e., integrations in your playbooks

• Orchestrating your suite of tools through playbooks

Undoubtedly, playbooks are essential in building SOPs, and many security solutions satisfy the incident response speed and efficiency criteria through these vessels of automation. However, there is more to incident response than structured processes, playbooks, and speed.

Human expertise: the critical element in security incident response

Unpredictability and incident response

Structured processes and playbooks do guarantee a quick response. However, there’s always unpredictability that threatens to make ineffective even the most diligently crafted SOPs and playbooks.

True, one of the principal points of a formalized incident response plan is to cover as many incident scenarios as possible in advance. However, the problem is that there is often (probably always) a gap between a plan, how it plays out in practice, and reality itself. No matter how minor and subtle, this gap may prove dangerous if we neglect it. Therefore, in cybersecurity, we must reckon with unpredictability and search for an adequate solution.

The indispensable role of human expertise in incident management

Though it may sound elusive, the solution is human expertise. Stopping the catastrophic spread of the WannaCry ransomware in 2017 showed that sometimes a single expert is all it takes to prevent a digital disaster of global proportions.

SOPs and playbooks do not invariably offer everything analysts need. For example, if reading the information collected automatically by a SOAR platform raises doubts about the efficacy of your standard approach (laid out in a SOP), you may have to stray from the original plan.

Under these circumstances, activating processes outside a given playbook and formalized incident response plan is not just valid but necessary. That is true even if the appropriate response comes down to only a single tool action not included in the original blueprint.

Chances are a human analyst taking charge of the newly encountered situation won’t result in the fastest possible response; averting the threat may require time and thorough analysis. Simply activating a playbook and following a pre-established procedure would be much easier and faster. However, if the standard response is not suitable for the new situation, it can be the quickest ever but still amount to nothing.

Security automation and incident response: does automation replace humans?

Security automation, in the sense of a fully automated response, leads to a shorter incident response time. But speed is not a goal in itself in cybersecurity, nor is automation. The true objective is coming to an optimal solution in a given situation. And that often means an intervention on the security analyst’s side since an automated response does not automatically translate into an optimal response.

Security automation does not replace humans; it is there to supplement their work. Optimal incident response requires sound judgment based on experience and evidence that allows you to do the right thing in a given situation.

But automation is ideal for managing laborious and repetitive tasks such as alert triage, information gathering, and threat intelligence. With arduous, mundane, and numbing assignments out of the way, it is easier for analysts to use their problem-solving skills and expertise to focus on what counts the most:

• Address novel threats and challenges

• Overcome unforeseen or overlooked complications that might ambush the acting out of pre-established response procedures

Sumo Logic’s SOAR vision: security analysts in control

Sumo Logic’s SOAR, Cloud SOAR, allows analysts’ expertise to shine by enabling them to orchestrate additional actions and processes according to their findings without leaving the platform. By “additional,” we mean outside of a pre-established formalized response.

Once analysts respond effectively to an incident, improving and adjusting a standard procedure and playbook to handle a similar case in the future is a breeze.

In addition, Cloud SOAR gathers and displays all the incident information in its war room and in the SecOps dashboard, analysts can find just value tasks where human control is fundamental. These two features provide across-the-board visibility, which is key to effective cybersecurity incident management. Security professionals like you can:

• Assess various, unfamiliar, situations

• Understand related incident events well

• Settle on a plan of action via information sharing and close collaboration

• Launch a response in real time

It can take time to connect the dots of all the incident-related information, go over the relevant details, communicate the findings with the rest of the team and organization, and come to an actionable conclusion. Indeed, this may postpone the response to a threat.

Nonetheless, making a data-driven decision backed up by expertise and including everyone concerned in the decision-making process makes for a much better response than blindly following a fast, pre-established response procedure.

Conclusion

A well-developed, tested and proved incident response plan is vital in cybersecurity. It results in a quicker response time, but speed is not the only important element that SOCs and organizations should strive for.

Human expertise, close team collaboration, and seamless communication may not always lead to the quickest response. They result in the optimal response.

Not everyone places as much emphasis on the human factor as Sumo Logic. Learn more in our ultimate guide to SOAR.