This is the sixth and final article in a series starting with “Critical Capabilities of a Modern SOC”. In the last article, I talked about the “security investigation” capability, and in this article, I talk about the fifth capability discussed, namely, “incident response.”
The involvement of a traditional SOC in the remediation of a security incident is primarily an advisory or coordination role. The SOC will report confirmed security incidents, share its analysis and recommend response actions but not implement containment, eradication or recovery measures, which instead are carried out by owners of the affected system (e.g. application and asset teams). Gradually, however, response procedures are being integrated into the SOC workflow as existing SOCs transform into CDCs to centrally manage detection and response.
Once a security incident has been confirmed, a full incident response team should be mobilised – this will involve either convening an ad hoc team or notifying the permanent, full-time CSIRT. Depending on the incident, it may be necessary to appoint additional subject-matter experts and business representatives. If the security incident is complex, high impact or long lasting, the crisis management team should be informed and may lead the response in conjunction with the CSIRT.
In accordance with the overall security incident management process, an action plan should be devised for handling the given incident and remediating the threat. Recommendations from SOC analysts as to the appropriate response should feed into this plan.
Incident response and recovery can be a lengthy process. It requires close collaboration between many individuals and teams to contain and eradicate the threat. Depending on the level of authority granted, the SOC may hand off security incidents to the incident response team with advice on potential fixes or act as a point of coordination to drive forward the response. Generally, the SOC will not directly implement response actions, unless it is the owner of the technology platform, has explicit authorisation to perform certain actions or is responsible for initiating pre-set containment of common threats.
All the information gathered about the incident, including corrective actions undertaken, should be recorded and a comprehensive post-incident report issued to relevant internal stakeholders and external bodies (e.g. regulators, law enforcement and other government authorities). Automation can accelerate this task.
Follow-up activities may include performing a root cause analysis to identify control weaknesses that need rectifying or other safeguards that can be implemented to prevent a re-occurrence. Before closing the incident, steps should be taken to confirm that recommended mitigation activities were successfully implemented. The triage, investigation and response actions carried out by the SOC should also be reviewed, and any lessons learned applied to improve overarching processes.
How we do it at LMNTRIX: The evolution from SOC to CDC has paved the way for the emergence of Managed Detection & Response (MDR) services, marking a shift from traditional MSSPs. As an MDR vendor like LMNTRIX, we pride ourselves on offering three dedicated 24/7 teams: the Threat Detection team, the Threat Response team, and the Threat Hunting team. This comprehensive approach ensures that the time taken from incident detection to remediation is minimized.
To streamline our incident response process and enhance scalability, we have automated a significant portion of our containment and remediation efforts. This is made possible through seamless integration of our XDR platform with major security vendors. As a result, we can proactively block threats across various environments such as network, endpoint, mobile, and cloud. This automation eliminates the need for manual logins into individual security controls like firewalls, email, web, or mobile security solutions such as Zscaler or Mimecast, among others.
By leveraging our integrated approach and automation capabilities, we are able to provide swift and effective threat mitigation, reducing the overall impact of security incidents and enhancing our clients’ security posture with a single click.