How are you improving automations for incident response processes, especially when it comes to data collection or incident investigation? What successes have you achieved so far and what gaps remain?

I employ a hybrid model, using AI tools and third-party applications, but fostering a learning environment is the most important part of that. Pairing experienced individuals with younger team members keeps everyone challenged and engaged. It's crucial to avoid complacency and create an environment where different talents work together to solve incidents more efficiently. We combine this approach with third-party support, like a 24/7 SOC, to enhance our response capabilities. 

In the realm of operational technology, automation may not be feasible due to isolated systems. Relying on human expertise and leveraging third-party tools for data collection and offline analysis can help, but regular threat hunting exercises are also crucial to identify gaps in detection engineering and make improvements that can help you make progress towards automation. Writing detailed playbooks is important, but they must be accessible and practical; if the playbook is a 50-page document, no one will have the patience to go through all of that during an incident. Generative AI can help analysts understand the right steps to take next in these cases, streamlining the process.

It's important to leverage vendors and partners like Palo Alto or Amazon, who often have larger teams and advanced tools that can quickly analyze your environment. They can assist in reaching root causes more efficiently. You should also consider your cyber liability insurance and how deep you can dive into investigations without invalidating your policy. Remember: you are not an island, so use your partners to your advantage.

Detection engineering is key, and that starts with understanding what normal looks like in your environment. Building automation and IR playbooks is challenging if you're constantly in incident response mode. By focusing on detection engineering and risk scoring behaviors, we can surface relevant information to analysts and enable more informed decisions. Customizing and engineering solutions for your specific environment is essential, because out-of-the-box solutions rarely fit perfectly.

Automation is vital in incident response, particularly for data collection and correlation. We save significant time by automating the collection of logs from various endpoints and devices, as well as forensic images. Tools like SOAR (Security Orchestration, Automation, and Response) and RPA (Robotic Process Automation) help bring all this data into the analyst's view, streamlining the process, which is crucial when time is of the essence. Automation allows us to quickly analyze that data against top threats or attack chains, speeding up the investigation process while still allowing for manual threat hunting.