IR Fire Drills and Automation

TechCrunch shared a blog post last week (Why Incident Response Plans Fail) describing how even the best IR plans become entangled while teams cycle through confusing “storming sessions” arguing over who owns what.  Meanwhile, response time worsens and the IT environment suffers further damage.

Automation of IR plans is a common use case.  While some can be simple scenarios aimed at helping responders collect data for further investigation, other use cases can be quite complex.  Consider this scenario where 8 different products orchestrate the investigation and containment of a phishing attack with as many steps:

TG Playbook

Note: this playbook will be featured during our Tech Session on Friday, May 20 at Noon ET / 9 am PT (register).

In cases like the one depicted above, there are often multiple “owners” not only within the security team, but across the entire IT organization.  The complexity of the plan and handoffs between teams can even show signs of strain in a simulation, as shared in the TechCrunch post.

I agree with the author’s suggestions to keep lines of communication open, bring suppliers (and other critical partners) into the planning, and remain flexible in times of stress.  I’d add a suggestion to the list though.  Consider how automation can help reduce confusion during an incident and ensure a timely, well planned response is executed.

Some companies considering automation think of it in a binary sense.  You are either automated or not.  It’s actually more like a spectrum where humans may be in, out or on the loop.

In an “in the loop” scenario, an analyst may need to approve further actions before the automation continues.  For example, a playbook may collect data from an IP reputation service and drop a suspicious email attachment into a sandbox, but pause for an analyst to review the information collected before approving a block action on the firewall.

An “out the loop” scenario is what most imagine when thinking of automation.  A playbook runs from start to finish without human intervention.  Though exceptions may be reported, the system is fully autonomous.

“On the loop” exists somewhere in between the previous two.  In this case, an analyst is able to monitor automation and even choose to reverse actions after they have executed.

When considering automation for IR, it’s best to think about how the “in, out or on the loop” spectrum aligns to the goals of the plan.  Full automation is often not possible in complex use cases, but certainly can reduce confusion and improve response times.

Interested in seeing how Security Automation & Orchestration can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions.

CP Morey
VP, Products & Marketing

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit:

One thought on “IR Fire Drills and Automation

Comments are closed.