Security operation centers (SOCs) are encountering threats that quickly swivel from a hands-on keyboard attack to a wide-scale and destructive ransomware attack, or even a complex nation-state attack. Current triage and remediation by alert will likely fail in such situations.

While alerts are a good starting point for investigation, they don't help defenders to efficiently remediate the severity, effects, and spread of an attack. Security teams need to shift away from queues of isolated alerts and toward incidents that enable handling of entire end-to-end attacks.

Moving from an alert-based triage and remediation system to one built around comprehensive incident remediation can have huge advantages, from time and resource savings, a hugely lifted burden from security teams, and overall strengthening of your security posture built on a zero-trust, defense-in-depth approach:

The SOC needs to adapt and scale its processes as threat protection evolves. Take four immediate actions to start this journey.

1. Switch Triage From Alerts to Incidents
Whether your SOC uses a SIEM or an XDR security product for initial triage, ensure it can present meaningful correlated incidents on top of alerts. Prioritize your incident queue based on parameters important to you, such as potential risk from this threat, the scope of the techniques and kill-chain progress, and the criticality of affected assets.

Map your SOC playbooks to incident categories like phishing, ransomware, and adware. Define, per incident category, what the SOC analyst should do to quickly understand if the incident is a true threat or a false alarm, and to immediately stop it from progressing.

Provide guidance for investigation of individual incident alerts, based on stage or technique. Ensure all attacker activities and affected assets in the incident are discovered and captured — this forms the basis for the incident remediation plan.

Finally, after considering the full incident, including all affected assets and evidence, invoke remediation actions across affected assets to return them to a clean operational state.

2. Automate
Mapping SOC playbooks to incidents in a structured and durable manner enables coordinated process automation. Some incident categories can be handled fully automatically and resolved end to end without SOC attention. For others, some parts may be automated (e.g., initial triage, remediation in bulk), while others requiring expertise remain manual (e.g., investigation). Automation should leverage the incident graph to determine where and how to assist analysts, saving repetitive manual work and enabling the SOC to focus on the more complex and high-risk incidents.

3. Bring the Team Along
Take time to explain the benefits of working with correlated incidents and how this approach changes the game for defenders. Explore the MITRE ATT&CK framework and use it to structure your SOC playbook guidance for incidents such that it scales and is durable. When a new alert detects exfiltration and it's mapped to the appropriate tactic or technique, existing guidance applies and there's no need for special alert onboarding or new guidance.

Record actions taken on prior cases — integrated into your security tools — and use this data to help analysts understand how to better deal with new incidents and tune processes over time. Extending these learnings into industrywide collaboration can have tremendous benefits for the organization and the entire security community.

4. Try Before You Buy
Look for a security product that enables your organization to shift to incidents and supports this SOC process evolution. It should implement automatic correlation of alerts into incidents, prioritization, incident categorization, and the ability to map your SOC playbooks at the incident and alert level to MITRE ATT&CK tactics and techniques.

Don't forget customization — each organization has preferences and special processes. Find products that integrate recommendations for action based on incident history within the organization and across the industry.