The 4 Cs of Automated Incident Response

Tuesday, December 06, 2016

Nathan Burke


It’s almost a certainty that you’ve heard of the 4 Cs of diamond quality. Created by the Gemological Institute of America (GIA) in 1953 as an international standard for judging the most valuable characteristics of a diamond, the 4 Cs are cut, color, clarity and carat weight. It’s also a clever mnemonic device to easily remember the four categories of evaluation.

Just as there was no universally accepted method for judging a diamond’s quality or assessing relative value before 1953, we’re currently in a phase in security where there are an ever-expanding number of automated incident response solutions, and no standard method for judging quality or value.

The number of products is on the rise in categories like:

Taking a page from the GIA, what would be the 4 Cs for evaluating automating incident response? The question is open to interpretation, but from my perspective, they would include the following:

The First C: Connection

Any solution that intends to automate the process of responding to security alerts to investigate threats and remediate incidents must be able to integrate with its customers’ existing security tools. Expecting a single tool to replace all the existing solutions on the market is at best a pipe dream, and at worst a recipe for disaster.

The Second C: Capacity

Automating incident response should add capacity. By taking away the manual, repetitive and tedious work of investigating all potential threats, an automated solution should both add capacity by taking on the workload and letting valuable security resources focus on more important work.

The Third C: Capability

Any automated incident response solution worth its weight (pun intended) should provide new capabilities that simply weren’t possible otherwise. Simply adding speed is a nice-to-have, but adding new capabilities at machine speed makes IR automation a force multiplier.

A few examples of added capabilities:

  • An automated system that can immediately launch parallel investigations based on what it learns from investigating one alert
  • A solution that can use artificial intelligence to compare and incriminate threats against intelligence feeds
  • A tool that can stop a ransomware attack in-progress

The Fourth C: Confidence

Perhaps I’m shoe-horning the category name to fit the pattern, but in using confidence, I’m referring to a user’s ability to rest easy, knowing that every alert and threat – however big or small – is being investigated.

Many companies today have tuned their detection systems to meet their investigative capacity. But as many will tell you, they’re not ignoring low-fidelity alerts, but instead adding them to a backlog that is saved for another day. However, when you look at any of the headline-grabbing breaches in the last few years, you’ll note that breaches like Target or Sony weren’t due to a failure in detecting the threat. The threats were detected and alerts were sent – sometimes several times – but because of a capacity mismatch, they were never investigated.

Any automated IR system should be able to investigate everything in a timely way in order to give the customer the confidence that a front page headline isn’t hiding in the backlog.

Applying the 4 Cs

As we look to solve incident response challenges through automation, this simple framework is a guide as to what I see as the areas where automation can provide the most value. What do you think – which Cs would you add to the list?

About the author: Nathan Burke is Vice President of Marketing at Hexadite. He is responsible for bringing Hexadite's intelligent security orchestration and automation solutions to market. For 10 years, Nathan has taken on marketing leadership roles in information security-related startups. He has written extensively about the intersection of collaboration and security, focusing on how businesses can keep information safe while accelerating the pace of sharing and collaborative action.

Possibly Related Articles:
Enterprise Security Security Awareness
Security Awareness Incident Response automated incident response Security Automation
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.