Best Incident Response Platforms include:
Proofpoint Threat Response Auto-Pull, Cofense Triage, VMware Carbon Black EDR (formerly Cb Response), BlackBerry Optics (CylanceOPTICS), Palo Alto Networks Cortex XDR, Proofpoint ThreatResponse, Cobalt, Kaspersky Threat Management and Defense, Cherwell Information Security Management Solution (ISMS), and Agari Phishing Response.
Learn More About Incident Response Platforms
What are Incident Response Platforms?
Incident response (IR) platforms guide countermeasures against a security breach and deploy preplanned, automated threat responses. Automated tasks can include threat hunting, anomaly detection, and real-time threat response via a playbook. After a breach, IR platforms can generate incident reports for analysis. Through IR software incident response may be planned, orchestrated and logged in accordance with policy, and best practice.
IR platforms may provide a response playbook designed to help contain and remediate breaches. Playbooks, or runbooks, are planned workflows that guide or automatically orchestrate responses to threats in real-time. These playbooks can be triggered by detecting known threats or incident types, and run in accordance with policy or SLA. For instance, the playbook may escalate a threat level if a high priority device is infected.
Through automated orchestration, incident response platforms help response teams minimize the time and resources required to manage incidents. IR platforms enable remediation teams to work on a broader scale and can identify and remediate network events that may have been missed due to a lack of resources.
Endpoint security and Incident response platforms have been thought of as separate categories. Endpoint security is a first-line defense mechanism for blocking known threats while incident response is the next layer and is all about hunting for endpoint threats and actively removing them. However, these categories are starting to merge into a new broader category often called Endpoint Protection and Response.
Features of Incident Response Platforms
Incident response platforms may offer the following features:
Knowledgebase of regulations and best practice response plans
SIEM data ingestion, anomaly detection
Correlate data from SIEM, endpoints, and other sources
Pre-built customizable standards-based incident response playbooks
Automated response to security alerts
Process tree & timeline analysis to identify threats
Attack behavior analytics, for real-time detection & forensics
Access & credential lockdown, network access analysis
Isolation of infected systems, malicious files
Automate escalation to assign tasks to the right people
Service-level agreement (SLA) tracking and management
Forensic data retention for post-incident reporting, analysis
Remediation planning & process automation
Privacy breach reporting policy (e.g. GDPR) preparation
Compliance report issuance
Pricing Information & Availability
Incident response is very often offered as a service by cybersecurity outsourcing specialists. However strictly technology-based IR Platforms like those below are available to SOCs and in-house enterprise IT security teams. These offerings are often part of a suite from vendors specializing in cybersecurity software. In this case, they may be bundled with endpoint protection and antivirus applications from the same vendor. Vendors of IR software will boast integrations with popular SIEM applications, or other IT automation applications. Incident response platforms