Regardless of whether an organization is operating with an in-person, hybrid, or remote workforce, SOC teams must be able to implement the four principles of handling cyber incidents—communicate, coordinate, investigate, and escalate. And to do this effectively, they need a cohesive control structure that can provide visibility into these four elements, thereby enabling the organization to quickly recover and continue operations after an incident is discovered. This capability is especially critical as cyber-attacks increase in frequency and complexity. And constant network development, the growth in connected devices, and an increasingly distributed workforce have only amplified the likelihood of a successful breach. To address this level of complexity in the event of a crisis scenario, it is essential for there to be a unified focal point within the SOC. An integrated crisis management center is vital for security teams when critical alerts occur, and incident response needs to be escalated dynamically across the organization.
However, the very complexity that has increased the risk profile of many organizations has also made it more difficult to coordinate an effective response. Many modern-day SOC challenges—such as the volume of alerts, extensive manual processes, staffing shortages, and overall cyber fatigue (teams often are constantly catching up on their never-ending workload)—make it difficult for SOC teams to be proactive. This complexity also makes it difficult for them to prepare for a crisis scenario. Every crisis poses a wide range of variables, each impacting what response tactics would need to be executed.
Fortinet’s ForiSOAR 7.0 addresses these challenges head-on by delivering advanced tools—such as case management, orchestration, and automation—to enable an adaptive, swift, and coordinated response to a crisis.
Considerations for a Successful Crisis Response Strategy for SOC Teams
Developing and achieving a successful crisis response strategy comes through the ability to take control. This is dictated the SOC team’s ability to address critical issues surrounding the four key areas of control:
Can the team rapidly provide shared situational awareness across the entire organization? Are internal communication channels in place for contacting various stakeholders, such as the legal, PR, and HR teams, executive staff, a company spokesperson, etc.? Are they able to share data, strategize, and have real-time discussions in a synchronized capacity?
How fast can the team adapt from typical day-to-day SOC activity to the escalation of a full-blown crisis scenario, including simultaneously tracking and analyzing the cyber event in real-time?
How quickly can the team fluidly coordinate with each other once a crisis scenario has developed? Are chains of command in place? Are teams, duties, and processes segmented, both inside and outside the SOC, to prevent a fragmented response? Are critical personnel able to easily manage essential tasks, including having the authority to marshal resources and make decisions?
Do investigation and response teams have the capability to centralize their investigation within one singular center for complete insight and control? Do they have the ability to turn critical intelligence into actionable data—such as identifying what assets have been impacted and then being able to take action to protect or isolate those assets during the investigation?
FortiSOAR’s War Room
One of the most critical resources needed for incident response is quickly assembling critical data and key personnel into a war room. FortiSOAR’s Incident War Room technology provides a fully integrated crisis management approach – tying together each resource required during a crisis in a central location from which to take action. This resource allows security teams to strategize and assemble a strong response in minutes—which can be the difference between a chaotic, fragmented approach and a focused, adaptive, and swift response.
FortiSOAR’s Incident War Room empowers teams to quickly assemble critical team members and resources so the response team can work together and enable cross-functional collaboration beyond the organization’s SOC. Connecting SOC analysts to necessary information and then allowing them to cross-coordinate with critical groups such as HR, legal, and other key stakeholders is essential for effective crisis management. And once the enterprise has connected the various pertinent teams, or an MSSP has included their customer for situational awareness, the FortiSOAR Incident War Room provides a wide array of essential capabilities.
For example, the incident response team can leverage a workbench that provides a complete view into the details of the crisis, such as task management, the time elapsed, what assets have been impacted, what has been analyzed, and the types of threats that have been discovered. Teams also can utilize incident summaries and reports to provide regular updates to key stakeholders, along with built-in communications for real-time conversations. And because these scenarios can be unpredictable, FortiSOAR’s Mobile App can be leveraged to extend the war room’s functionality to facilitate on-the-move coordination and approvals from a user’s device so remote participants can participate in the process, take actions, and support the incident resolution.
FortiSOAR empowers analysts with the features and functions they need to rapidly respond to cyber incidents by pulling together the right people, systems, and information into a unified strategic system. This approach enables teams to quickly collaborate, visualize threats, and make fast-paced decisions to minimize the impact of a cyber event. And with the right tools in place, organizations are positioned to maximize their proactiveness, even during an unpredictable reactive situation, further strengthening the organization’s overall security infrastructure while optimizing the readiness and effectiveness of the SOC team.
Leveraging the Fortinet Security Fabric
Harmonized coordination during incident response is vital for every organization. However, whatever management technologies are in place will inevitably dictate the approach an organization can take and how effectively a security team can respond. Fortinet has designed an automation model that can support SOC teams at every stage of their development, from small operations to global SOC teams.
The Fortinet Security Fabric weaves security and network functions into a unified framework to provide broad visibility and control to analysts and enable automated SOC processes. Its broad portfolio of management systems is designed to grow with organizations, providing the technologies they need to best support their internal framework, culminating with the comprehensive FortiSOAR solution. FortiSOAR supports more developed security teams that require the advanced capabilities of a SOAR solution to optimize processes and accelerate response. Building on FortiAnalzyer for advanced logging and reporting, FortiXDR for extended detection and response, and FortiSIEM for multivendor visibility, FortiSOAR’s dynamically and adaptive functionality enables rapid response during even the most severe crisis management scenarios, which is critical to actively countering an attack.
Find out how FortiSOAR enables SOC teams to accelerate incident response, unify operations, and eliminate alert fatigue.
Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.