One of the underappreciated aspects of incident response (IR) is that it often starts as a data problem. In many cases, IR teams are presented with an effect such as malware or adversary activity and charged with determining the cause through the identification of evidence that ties the cause and effect together within an environment that they have no visibility or context. This situation creates the “IR data problem” wherein responders must first collect and curate large amounts of data before they are able to provide impactful results that can aid in containment and eradication of the incident.
Endpoint detection and response (EDR) technology is often used during incident response engagements and the EDR market has made incredible advances in detection technology however EDR solutions are only good from the moment they are installed on a system going forward. Unless the EDR technology was installed throughout the entire incident and it retains all of the telemetry gathered throughout the entire attack lifecycle, responders are still faced with a giant data problem.
Historically, IR teams solved the data problem by deploying custom tools or scripts to all systems within the enterprise and pulling the results back to a separate platform. While classic data collections mechanisms can be effective at building the narrative of an incident through the identification of evidence, it does introduce an additional workstreams that draw resources away from analysis.
True incident response technology needs to understand the fundamental flows of modern incident response to add tactical automation to solve the IR data problem. Tactical automation understands that the responder is the most crucial component of effective incident response and adds automation to the right places to enhance rather than replace the responder.
Built by Responders, for Responders
Appr ..
Support the originator by clicking the read the rest link below.
