Pricing Login
Pricing
Support
Demo
Interactive demos

Click through interactive platform demos now.

Live demo, real expert

Schedule a platform demo with a Sumo Logic expert.

Start free trial
Back to blog results

September 7, 2020 By Dario Forte

Integrating lessons learned into Incident Response

Let me start by saying that total prevention is not attainable with today’s technology. Whether through negligence or ignorance, any data stored on a network is subject to unauthorized access by 3rd parties. Instead, we must combine Prevention with Detection and Response. We know we are going to get breached, so we must focus on how we deal with that.

One significant activity that can improve cyber incident response and enable the timely mitigation of threats is the transfer of knowledge after an incident as part of a formalized “Lessons Learned” phase of the incident response life cycle. Integrating successful processes and procedures from previously successful incident response activities can play a critical role in determining whether a business will suffer in terms of operational integrity, reputation, and legal liability. A publicized security breach will lower customer confidence in the services offered by an organization as well as call into question the safety of their sensitive 3rd party information. This impacts a business's credibility and translates directly into lost revenue.

In regulated industries, increased regulatory scrutiny is an additional consequence of a breach. This involves evaluating if the tools and procedures used in responding to security threats were sufficient. Integrating lessons learned into existing and future incident response playbooks ensures that the proper technologies and processes are deployed, and avoids accusations of gross negligence, expensive and time-consuming investigations, and regulatory demands.

Procedural improvements can be incorporated into incident workflows via incident playbooks and ensure that all stages of the incident response process have been acknowledged and addressed. It also ensures that required security measures and procedures are documented and relevant stakeholders informed of their roles in case of an incident.

This process can be augmented through machine learning. Applying machine learning to this problem requires that all relevant data associated with incidents are analyzed and automatically applied to future incidents. DFLabs (now Sumo Logic) recently released DF-ARK machine learning capability to do precisely this. Our patent-pending Automated Responder Knowledge ARK module applies machine learning to historical responses to threats and recommends relevant playbooks and paths of action to manage and mitigate them. DF-ARK requires sufficient training data – it begins with no knowledge, but learns from the experience and actions of your security team, becoming more effective over time. DF-ARK implements supervised case-based reasoning machine learning.

It also involves combining automated workflows and manual procedures to keep a human in the loop. This can be constantly improved by applying new observations and data, to fine-tune existing methods and procedures identified in the lessons learned phase.

Cloud SOAR offers Dual Mode playbooks to facilitate this. Playbooks are created using a visual editor and support granular, stateful, and conditional workflows to orchestrate and automate incident response activities such as incident triage, stakeholder notification, data and context enrichment, and threat containment. Dual Mode playbooks support manual, semi-automated, and automated actions, meaning that users can automate the action without automating the decision.

Adding all of this together, here are 5 best practices for increasing the effectiveness of incident response via lessons learned:

  • Encourage feedback from responders at every level. First, second and third line SOC operators and incident handlers each have a unique perspective that must be incorporated into future response playbooks.

  • Review all relevant documentation to ensure compliance. This includes organizational policies or regulatory mandates to ensure any disparities are addressed in future playbooks.

  • Chronicle any unanticipated or unusual events to extend procedures to mitigate similar occurrences in the future

  • Annotate enhancements to existing processes that were identified during the incident response cycle.

  • Designate a business unit or individual to be responsible for making necessary changes to existing playbooks, processes, or procedures and to distribute these to stakeholders.

Capitalizing on lessons learned during incident response provides immediate and long-term benefits that contribute crucial time savings necessary to successfully mitigate future threats. Deploying a platform designed to facilitate the rapid inclusion of identified improvements to the incident workflow, such as Sumo Logic’s Cloud SOAR, can not only reduce the time it takes to fully investigate an incident but also reduces the overheads required to do so. If you want more information please contact us at Sumo Logic for a no-obligation demonstration of exactly how we can improve your response time, workflows, and remediation activities.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial
Dario Forte

Dario Forte

VP & GM, Orchestration & Automation

Dario Forte started his career in IR as a member of the Italian police, and in that role he worked in the US with well-known government agencies such as NASA. He is one of the co-editors of the most relevant ISO Standard (SC 27) . Dario Holds 5 patents, he has an MBA from the University of Liverpool, plus executive education at Harvard Business School.

More posts by Dario Forte.

People who read this also enjoyed