A security alert, once escalated, becomes an incident, which triggers a standard response process or “playbook” for response for validating its severity and impact. This process is often defined in written documents and typically includes steps for containment, remediation, recovery and lessons-learned, although it varies across enterprises and incident types.
IR Flow includes a dedicated Incident Workbench that provides pre-defined Playbooks that help analysts repeat a standardized incident response process that has been customized for their enterprise. These Playbooks are often codified by senior analysts and executed by junior analysts and are flexible enough to allow workflows to be adjusted “on-the-fly” by inserting new tasks when needed.
IR Flow’s Cyber Translation Framework easily adapts to the unique set of security tools and business requirements of each enterprise. IR Flow supports standard API calls to virtually any third-party system, security infrastructure and IT tools to execute changes for both containment and remediation. Integrations include ticketing systems like JIRA and ServiceNow, as well as the typical array of security tools for firewalls, network security devices and endpoints. Containment and remediation can occur by generating and tracking a ticket through the ticketing system or integrating directly to the security stack via APIs.
IR Flow helps security operations teams quickly process incidents, dynamically adjust the prescribed investigative steps and efficiently manage incidents. By enabling an established process and allowing adjustments as needed, IR Flow enables security teams to respond rapidly to dynamic threats without lengthening time to containment and remediation