How automation and orchestration affect NIST’s framework for incident response

by Stan Engelbrecht, Director of Cybersecurity Practice, D3 Security

As cybersecurity incidents such as phishing scams, ransomware attacks, and user data breaches have become a never-ending threat for organizations of all sizes, incident response has grown in importance within security operations. Many companies use dedicated incident response platforms to plan, execute, and evaluate incident response processes.

Incident response plans are often built around the NIST 800-61 framework, which is the most widely accepted standard for organizing incident response. NIST breaks down incident response into four phases:

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-Event Activity

In recent years, incident response platforms have begun to evolve into what Gartner calls security orchestration, automation, and response (SOAR) platforms. SOAR platforms accelerate the pace and augment the power of incident response by automating repetitive tasks and coordinating actions—or “orchestrating”—across the entire security stack.

The technological advancements represented by SOAR are having a profound impact on how the phases of incident response are carried out. The NIST framework still applies, but using SOAR, responders can act faster and more conclusively at each stage.

Here is an overview of the NIST 800-61 framework, and how SOAR features can help enhance traditional incident response processes during each phase.

Phase 1: Preparation

Incidents move fast, so a comprehensive preparation phase is critical. Preparation, as defined by NIST, involves implementing the right tools and processes ahead of an incident occurring. A critical step in this phase is identifying your “crown jewels” — these assets must have the best possible defenses in place. The data from previous incidents is a useful resource during planning, as it will provide invaluable insight into your attack surface and areas of vulnerability.

SOAR platforms support the preparation phase by allowing analysts to build automated steps and orchestrated actions into their incident response playbooks. SOAR also helps you prepare your lines of communication by configuring automated task assignments and notifications.

Phase 2: Detection and Analysis

In order to stop an incident from causing damage, you first need to spot the irregular activity and figure out exactly what is happening. This phase begins with taking in data from sources such as SIEM, IDPS, network device logs, people in your organization, and more, to identify incidents based on indicators. Once incidents have been detected, you need to determine false positives, classify the attack vector, understand the scope of the event, identify the vulnerabilities being exploited, and prioritize response actions.

SOAR is especially useful in this phase, because it can integrate with other security systems to automate the gathering of threat intelligence and other contextual data, a process that wastes a great deal of time when done manually. SOAR platforms not only expedite this process, they also correlate alerts with information from historical incident and, some will even automate prioritization by assigning a risk score to each incident.

Phase 3: Containment, Eradication, and Recovery

In this phase, having gathered the information and gained an understanding of the incident, your IR team will begin to combat the threat. This includes taking actions to prevent further damage, such as closing ports or blocking IPs. Depending on the incident, you might gather and preserve evidence for future legal or regulatory cases. Once the threat is resolved, recovery will involve restoring systems to normal functionality, through actions like tightening network security, rebuilding systems, and replacing compromised files.

SOAR platforms accelerate containment and eradication to machine speeds with the ability to automate security actions. For example, if a user’s credentials are suspected of being compromised, the SOAR platform can interface with your identity and access management system to immediately disable that user’s access.

Phase 4: Post-Event Activity

Incident response can be chaotic, and it’s hard to take the time to do a post-mortem on major incidents, but NIST emphasizes the importance of this type of review. This phase includes having a “lessons learned” meeting to answer major questions about what happened, what went well, and what is needed for future incidents. Collected incident data should be used to drive these meetings and inform the resulting procedural changes. Post-event activity also involves determining what should be done with collected evidence. Is prosecution an option? How long should the data be retained?

The work of a SOAR platform is mostly done by this phase, but it can still contribute by providing a more complete data set to leverage for post-event analysis. Because of the ability to automate data capture and documentation of response actions, SOAR platforms will generally retain more usable data than would be gathered manually, and the ability to integrate across the security stack enables the incorporation of data from other security systems. The result is a data set that captures full picture of the incident, enabling more accurate metrics.

The Evolution of Incident Response

The NIST phases are still invaluable as a framework, but as you can see, the addition of automation and orchestration is reshaping how organizations approach the process of incident response. SOAR is empowering SOCs and incident response teams to do more with less, and with the addition of tools like machine learning, processes can be honed over time, analyzing patterns of incidents and tuning automation parameters to fit the exact needs of each organization. SOAR technology looks to be a promising step forward for organizations in their ongoing fight against cyber attackers.

About the Author

Stan Engelbrecht is the Director of Cybersecurity Practice at D3 Security and an accredited CISSP. Stan is involved throughout the product delivery and customer success lifecycle, and takes particular interest in working with customers to configure solutions. You can find Stan speaking about cybersecurity issues at conferences, in the media, and as the chapter president for a security special interest group. You can find more writing from Stan on the D3 website http://www.d3security.com/