Incident Response

Incident response, as the name suggests, is the process of responding to a security incident. Oftentimes, incident response involves a combination of manual and automated approaches, using tools like those described within the glossary for security automation. The level of automation possible depends on the characteristics of the environment, particularly the types of threats encountered — in general, more complex threats require more manual intervention.

Larger organizations tend to have dedicated incident response teams, whose job it is to watch for and respond to confirmed security incidents. Since the volume of alerts in these environments is impractical for analysts to address alone, some of the alert investigation process will be automated. By reducing the time and effort required to validate alerts (and reject false positives), incident response teams are able to react to incidents in progress more quickly. This, in turn, limits the damage that an attacker can cause.