An incident response platform (IRP) is a type of software designed to automate cyberincident response.
IRPs help infosec departments and SOCs save time and resources when dealing with cyberattacks, as well as improve incident containment, investigation, and mitigation.
How do IRPs work?
An IRP enables the creation of playbooks, which define sequences of common actions that the IRP can perform automatically at various stages of threat response.
For example, an IRP can accomplish the following automatically:
- Incident detection based on behaviors recorded by protection tools,
- Exclusion of any false positives security solutions return,
- Collection of additional information,
- Threat localization and elimination,
- Data recovery from backups,
- Notification of stakeholders,
Additional IRP features
In addition to automating the various response stages, IRPs can help administrators manage an organization’s security. Common features include:
- Incident lifecycle logging. The platform captures changes in the parameters of affected systems during incident handling, consolidates data from all connected sources in a single array, and collects and processes information about employee actions in real time. The resulting data may be useful for incident investigation and analysis to improve incident management processes;
- Full infrastructure overview. IRPs enable management of internal systems’ — including any remote units’ — security using a single console. That may include monitoring potentially harmful actions, logging detected vulnerabilities, and planning and tracking their elimination;
- SOC management. IRP solutions enable the automation of routine operations such as work-schedule planning, task assignment, data exchange among employees, and so forth. Some also facilitate incident response training for SOC staff;
- Knowledge-base support. Cataloging IRP-harvested information and storing it in an easy-to-access form speeds up threat identification and response.
IRP interoperability with other security solutions
Integrating IRP systems with other security solutions in an organization’s infrastructure improves the IRPs’ performance. In particular, the platform can independently retrieve incident information from SIEM tools, as well as current threat data from threat intelligence platforms.
A natural development of the IRP concept is security orchestration, automation, and response (SOAR) aimed at two-way interaction with other security products and external databases.