Detecting a security incident is an important event, but it is only the first step towards stopping it. Every decision you make when responding to a detected threat is crucial to whether it will be prevented or whether it will escalate.

The traditional and still most popular way of responding to security incidents is the use of fully manual processes. Completing the list of vulnerable systems, finding people responsible for them, identifying areas whose operation may be interrupted by a detected incident, preparing a plan to deal with the incident, and finally its execution and coordination - these are just some of the challenges awaiting security personnel. It should be remembered that at each stage circumstances may arise that will require rebuilding the entire action plan, such as the detection of new, related attack vectors or vulnerable areas.

However, fully manual, time-consuming - and therefore increasing the risk of escalation - preparation and execution of a security incident remediation plan is not the only option available. There is a class of solutions that are designed to significantly speed up this process and automatically adapt to the changing situation. We are talking about SOAR solutions (Security Orchestration, Automation and Response). The most popular solutions of this class include IBM Security® QRadar® SOAR (formerly: IBM Resilient) or Palo Alto Cortex XSOAR. As IBM notes, the use of a SOAR solution helps reduce the time needed to resolve an incident by up to 85% (link: https://www.ibm.com/products/qradar-soar).

The heart of SOAR class solutions are the so-called dynamic playbooks. They use existing response processes, adapting them to the events detected by the SIEM system and the results of individual stages of these processes. They also allow for the automation of some tasks, e.g. sending a notification to the appropriate support team, querying the CMDB (Configuration Management DataBase, which is a database containing information about all software and hardware solutions used in the organization), requesting a change in the configuration of a network device, etc. For each of the detected potential security incidents, a separate entry is created in the SOAR system, containing the action plan and its implementation status, related data obtained from the SIEM system and other systems (such as the mentioned CMDB database), as well as notes and attachments (e.g. report from the analysis performed on the exposed system, files obtained for analysis, etc.) added by the staff working with the incident.