Incident Response Platforms
Best Incident Response Platforms include:
Cofense Triage, KnowBe4 PhishER, Proofpoint Threat Response Auto-Pull, VMware Carbon Black EDR, BlackBerry Optics (CylanceOPTICS), Barracuda Forensics and Incident Response, Proofpoint ThreatResponse, Cobalt, 1E Tachyon, and Cherwell Information Security Management Solution (ISMS).
AlienVault® Unified Security Management® (USM) delivers threat detection, incident response, and compliance management in one unified platform. It is designed to combine all the essential security capabilities needed for effective security monitoring across cloud and on-premises…
CrowdStrike offers the Falcon Endpoint Protection suite, an antivirus and endpoint protection system emphasizing threat detection, machine learning malware detection, and signature free updating. Additionally the available Falcon Spotlight module delivers vulnerability assessment…
Cofense Triage accelerates phishing qualification, investigation, and response by automating standard responses to suspicious emails to make analysts more efficient and driving out actionable intelligence, and providing incident response playbook.
KnowBe4 offers PhishER as a simple and easy-to-use web-based platform with critical functionality that serves as a phishing emergency room to identify and respond to user-reported messages. With automatic prioritization for emails, PhishER helps InfoSec and Security Operations team…
Proofpoint Threat Response Auto-Pull (TRAP) enables messaging and security administrators to automatically retract threats delivered to employee inboxes and emails that turn malicious after delivery to quarantine. It is also a powerful solution to retract messages sent in error as…
Barracuda Forensics and Incident Response automates response to email securirty incidences to ensure quick identification of the nature and scope of attacks, eliminate malicious emails, and carry out remediation actions to halt the attack’s progress and minimize damages.
D3 Security in Vancouver provides a platform for security orchestration, automation, incident response, as well as investigation and case management. Core components of the D3 platform include integrations with SIEM and threat intelligence platforms, a NIST-compliant playbook library,…
Carbon Black EDR (formerly Cb Response) is an incident response and threat hunting solution designed for security operations center (SOC) teams with offline environments or on-premises requirements. Carbon Black EDR records and stores endpoint activity data so that security professionals…
Exabeam headquartered in San Mateo, Exabeam Fusion, a SIEM + XDR. The vendor states the modular Exabeam platform allows analysts to collect unlimited log data, use behavioral analytics to detect attacks, and automate incident response. The Exabeam platform can be deployed on-premise…
BlackBerry Optics originated from Cylance, which became a Blackberry company from the early 2019 acquisition. BlackBerry Optics (formerly CylanceOPTICS) is an incident response solution emphasizing fast endpoint detection and automated smart threat response, root cause and context…
IBM X-Force IRIS can be deployed on-site to provide a complete cybersecurity incident response, threat intelligence, and breach remediation platform.
The Cherwell Information Security Management Solution (ISMS) is designed based on a proven NIST framework for security incident response and remediation that allows organizations to handle incidents efficiently and effectively, as well as associate risk and incidents to change and…
Australian company Huntsman Security offers Next Gen SIEM SOAR (or Analyst Portal), a solution that when integrated with Huntsman Security’s Next Gen SIEM technology, the security orchestration and automated response capabilities of the Analyst Portal creates "Next Gen SIEM SOAR.…
The vendor describes Zenduty as a collaborative, end-to-end incident management system for the management of always-on services, helping teams orchestrate incident response for creating better user experiences and brand value. Zenduty centralizes critical alerts through predefined…
What are Incident Response Platforms?
Incident response (IR) platforms guide countermeasures against a security breach and deploy preplanned, automated threat responses. Automated tasks can include threat hunting, anomaly detection, and real-time threat response via a playbook. After a breach, IR platforms can generate incident reports for analysis. Through IR software incident response may be planned, orchestrated and logged in accordance with policy and best practice.
IR platforms may provide a response playbook designed to help contain and remediate breaches. Playbooks, or runbooks, are planned workflows that guide or automatically orchestrate responses to threats in real-time. These playbooks can be triggered by detecting known threats or incident types, and run in accordance with policy or SLA. For instance, the playbook may escalate a threat level if a high priority device is infected.
Through automated orchestration, incident response platforms help response teams minimize the time and resources required to manage incidents. IR platforms enable remediation teams to work on a broader scale and can identify and remediate network events that may have been missed due to a lack of resources.
Endpoint security and Incident response platforms have been thought of as separate categories. Endpoint security is a first-line defense mechanism for blocking known threats while incident response is the next layer and is all about hunting for endpoint threats and actively removing them. However, these categories are starting to merge into a new broader category often called Endpoint Detection and Response.
Incident Response vs. SOAR
Incident response has traditionally been focused on response playbooks based on preset triggers or events data from other systems. Recently, this functionality has expanded beyond response to include more proactive analytics and automated, centralized responses. Now, these advancements have led to a wholly separate Security, Orchestration, Automation and Response (SOAR) category.
Traditional incident response can be considered a subset of the growing SOAR space. For instance, all SOAR products should be able to automatically respond to incidents. Not all incident response platforms can centralize data ingestion and analysis, as well as automatically coordinate responses across an organization’s security tech stack. Incident response also places more emphasis on user alerting and guiding responders through response playbooks. SOAR is more focused on automating these processes from start to finish. Incident response also tends to be more reactive, while SOAR can be more proactive in its automated functions.
Market differentiation between these categories can be messy. Vendors may market their incident response platform as a SOAR tool and vice versa. Buyers should look at each product’s specific capability set to ensure the product aligns with the business’s needs.
Features of Incident Response Platforms
Incident response platforms may offer the following features:
Knowledgebase of regulations and best practice response plans
SIEM data ingestion, anomaly detection
Correlate data from SIEM, endpoints, and other sources
Pre-built customizable standards-based incident response playbooks
Automated response to security alerts
Process tree & timeline analysis to identify threats
Attack behavior analytics, for real-time detection & forensics
Access & credential lockdown, network access analysis
Isolation of infected systems, malicious files
Automate escalation to assign tasks to the right people
Service-level agreement (SLA) tracking and management
Forensic data retention for post-incident reporting, analysis
Remediation planning & process automation
Privacy breach reporting policy (e.g. GDPR) preparation
- Compliance report issuance
Incident Response Platforms Comparison
Consider these factors when comparing incident response platforms:
Incident response vs. SOAR: The biggest consideration is whether the business needs a traditional IR solution or a more advanced SOAR tool. For instance, do you just need a point solution to take incident alerts and automatically respond to external alerts. Do you want to centralize the data ingestion and analysis as well? Is the higher price point for SOAR solutions justifiable for your use case?
Alert Management: How well can each incident response system manage false positive alerting? False positives are a given in any security system, but an overly responsive system can overwhelm SOC teams and artificially bury true threats in the noise. The ease of customizing policies will also impact alert management heavily.
Pricing Information & Availability
Incident response is very often offered as a service by cybersecurity outsourcing specialists. However strictly technology-based IR Platforms like those below are available to SOCs and in-house enterprise IT security teams. These offerings are often part of a suite from vendors specializing in cybersecurity software. In this case, they may be bundled with endpoint protection and antivirus applications from the same vendor. Vendors of IR software will boast integrations with popular SIEM applications, or other IT automation applications. Incident response platforms.