{"id":5003,"date":"2023-01-12T08:00:00","date_gmt":"2023-01-12T08:00:00","guid":{"rendered":"http:\/\/www.sumologic.com\/blog\/quickest-response-not-best-cybersecurity"},"modified":"2025-06-17T10:22:18","modified_gmt":"2025-06-17T18:22:18","slug":"quickest-response-not-best-cybersecurity","status":"publish","type":"blog","link":"https:\/\/www.sumologic.com\/blog\/quickest-response-not-best-cybersecurity","title":{"rendered":"Why the quickest response is not always the best in cybersecurity"},"content":{"rendered":"\n<section class=\"e-stn e-stn-0d652506f82b000a392973813b918ee25d5b4211 e-stn--glossary-inner-content e-stn--table-of-content\"><div class=\"container\">\n<div class=\"wp-block-b3rg-row e-row row\">\n<div class=\"wp-block-b3rg-column e-col e-col-1f7b3997080fc292474d26ff00c905d99d3520fa e-col--content-wrapper  col-sm-12 col-lg-12 col-xl-12\">\n<div class=\"e-div e-div-a1b32f66e1749758df41d5aea14f647cd10e362c e-div--card-btn-link\"><div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1400\" height=\"400\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/quickest-response-header-1.png\" alt=\"Automation + Expertise\" class=\"wp-image-5002\" title=\"\"><\/figure>\n<\/div>\n\n\n<p><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-62d015d47d6a42f8ddf47ed2ab64c854\">The need for fast <a href=\"https:\/\/www.sumologic.com\/glossary\/incident-response\/\">incident response<\/a> is a given. No industry professional would deny how critical a rapid response is when dealing with a cyber threat and an incident. However, it is equally important to understand that the quickest response is not always the best in cybersecurity. Security operations centers (SOCs) and organizations must factor in other variables, too, when preparing for the inevitable, as <a href=\"https:\/\/www.forbes.com\/sites\/chuckbrooks\/2022\/06\/03\/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know\/?sh=4e720c7e7864\" target=\"_blank\" rel=\"noopener\">recent cyber stats<\/a> suggest.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-750dc360b6105eb3e15b8638ea2687b9\">What are the constituent elements of a robust incident response besides speed? Read on for practical pointers to help you achieve your organization\u2019s incident response goals.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-70e40cada9788b6089b9b86120af008d\" id=\"what_makes_a_good_incident_response_plan?\">What makes a good incident response plan?<\/h2>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-510ba34df93023159195c504da210f66\">Cyber attacks and incidents inevitably happen. No one is immune to them.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-3617f5b28cb32cd5e10a16fcb9a28108\">Regardless of whether they are internal or external \u2014 network security breaches, ransomware attacks, accidental sensitive data exposures, or disgruntled former employees \u2014 threats lurk in the shadows of any organization\u2019s daily routines. The best practice is for you to prepare well for the unavoidable.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-7832b341e7ae48d0c2a99ad5f70856a3\">In practical terms, preparation means developing an incident response plan that includes solid cyber security risk management and well-structured standard operating procedures.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-182c442ebbbd72978ce2166365de5929\">A good incident response plan needs to:<br><\/p>\n\n\n\n<ul>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-00fa5cf0c53760391738b4c16d7238ef\">Be manageable and actionable<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-28b636a2d4070b518d3c60ef0684a7b0\">Let you address different problems and cyber risks<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-fdd9e7b4f12ae01d06c387bf2dba5bfa\">Prescribe the use of only the services and technologies suitable for your organization<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-8162e4a50234998d0fa4d4ea749704e0\">Account for compliance, policy, and general legal demands<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-2572764db63c4c31e33497fcfe822ecd\">Set specific roles for organization members <\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1758df0d3458b24411657d442d6738ba\">Assign the right people in the right places<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-14c1640563ea6551c1db8507a1bdf7ae\">Enable and foster high-quality communication between an organization\u2019s members<\/p>\n\n\n\n<\/li>\n<\/ul>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-4fe59c47632ca5bce0f76024a7a9eccf\">Regular drills and tests allow everyone involved to internalize your plan\u2019s principles, spot any shortcomings, make adjustments, and achieve the necessary readiness for cyber attacks and incidents.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-06d3a1b10561b4dd94a861574e91237c\" id=\"standard_operating_procedures:_what_are_they,_and_how_do_they_help?\">Standard operating procedures: what are they, and how do they help?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-217ae007379603eb39823afb2a317715\" id=\"what_are_standard_operating_procedures_(sops)?\">What are standard operating procedures (SOPs)?<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-32886f4cdaabb4135a25eff01957f421\"><a href=\"https:\/\/www.sumologic.com\/glossary\/standard-operating-procedures-sops\/\">Standard operating procedures<\/a> are structured processes or workflows optimized for anticipated cyber risk scenarios. They lay out the details of a specific course of action organizations must follow closely to ensure the success of their incident response strategy. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-e48e4fcbe9fc0b37bcc1b0d7dab6f0e4\">Cybersecurity professionals are not the only ones responsible for dealing with a cyber attack or, for that matter, any other type of security or cyber incident. When a security incident occurs, the entire organization must work together in a coordinated way.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-d267a30377529286b477cfcf650c309c\">SOPs do precisely that \u2014 enable everyone to be on the same page and understand their role in coordinated cybersecurity threat response. In addition, they cover compliance and legal requirements, which is essential for regulated industries.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-1130174333f5bc02c9b9e02c035753bf\" id=\"how_are_sops_related_to_an_incident_response_plan?\">How are SOPs related to an incident response plan?<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-da2beab3c296a7cac78d4d82d70475bd\">SOPs are variations on a theme \u2014 blueprints for implementing your incident response plan in various concrete scenarios. That is why security solutions such as security orchestration, automation and response (<a href=\"https:\/\/www.sumologic.com\/glossary\/soar\/\">SOAR<\/a>) emphasize <a href=\"https:\/\/www.sumologic.com\/blog\/how-soar-improves-standard-operating-procedures-sop\/\">elaborate SOPs<\/a> so much.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-e30f8203637e56240cc530001b337dc3\">Incident response and, by extension, SOPs require speed and efficiency. Two key features that help you to achieve these objectives are <a href=\"https:\/\/www.sumologic.com\/blog\/flexible-incident-response-playbooks-for-any-situation\/\">incident response playbooks<\/a> and <a href=\"https:\/\/www.sumologic.com\/blog\/uncovering-the-powers-of-cloud-soars-open-integration-framework\/\">integrations<\/a>. You can considerably decrease incident response time and increase incident response efficiency by: <\/p>\n\n\n\n<ul>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-04bf1cc71ff2afbf4ae0601762fe0c0e\">Automating workflows via playbooks<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-60e25d11655678d2b226d47e147954a8\">Adding, customizing, and using external tools, i.e., integrations in your playbooks <\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-60830273d3aa2ec19aef1894b32d594b\">Orchestrating your suite of tools through playbooks <\/p>\n\n\n\n<\/li>\n<\/ul>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-b6babc9b4dffe055e2a7cbb230f3f924\">Undoubtedly, playbooks are essential in building SOPs, and many security solutions satisfy the incident response speed and efficiency criteria through these vessels of automation. However, there is more to incident response than structured processes, playbooks, and speed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-9a84ca51edd3295689fc2efa6ed1cdc8\" id=\"human_expertise:_the_critical_element_in_security_incident_response_\">Human expertise: the critical element in security incident response <\/h2>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-469d141d24d658ddfa475624d77b1fbc\" id=\"unpredictability_and_incident_response_\">Unpredictability and incident response <\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c02a8f7410ff8ce23fd56322e29cb311\">Structured processes and playbooks do guarantee a quick response. However, there\u2019s always unpredictability that threatens to make ineffective even the most diligently crafted SOPs and playbooks. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a55c99a042278d6888ebc9c7a599bd28\">True, one of the principal points of a formalized incident response plan is to cover as many incident scenarios as possible in advance. However, the problem is that there is often (probably always) a gap between a plan, how it plays out in practice, and reality itself. No matter how minor and subtle, this gap may prove dangerous if we neglect it. Therefore, in cybersecurity, we must reckon with unpredictability and search for an adequate solution. <\/p>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-5bc1d35e9be7369c18ac650f8d2bf200\" id=\"the_indispensable_role_of_human_expertise_in_incident_management\">The indispensable role of human expertise in incident management<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-bcb66fa43497d22ad9033d2d2be1ee7a\">Though it may sound elusive, the solution is human expertise. Stopping the catastrophic spread of the <a href=\"https:\/\/www.malwarebytes.com\/wannacry\" target=\"_blank\" rel=\"noopener\">WannaCry ransomware<\/a> in 2017 showed that sometimes a single expert is all it takes to prevent a digital disaster of global proportions. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-3e770b2f95d59ae2ee05c156f326ceb6\">SOPs and playbooks do not invariably offer everything analysts need. For example, if reading the information collected automatically by a SOAR platform raises doubts about the efficacy of your standard approach (laid out in a SOP), you may have to stray from the original plan. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c47283eb924d8dff9c9febdbfa72e750\">Under these circumstances, activating processes outside a given playbook and formalized incident response plan is not just valid but necessary. That is true even if the appropriate response comes down to only a single tool action not included in the original blueprint. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-313a025ae47f54c048428aae386da53f\">Chances are a human analyst taking charge of the newly encountered situation won\u2019t result in the fastest possible response; averting the threat may require time and thorough analysis. Simply activating a playbook and following a pre-established procedure would be much easier and faster. However, if the standard response is not suitable for the new situation, it can be the quickest ever but still amount to nothing.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-8177addc59c416dcc15c2f2060a0da99\" id=\"security_automation_and_incident_response:_does_automation_replace_humans?\">Security automation and incident response: does automation replace humans?<\/h2>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-862b9b6fa5576b491198ca5656a6e814\">Security automation, in the sense of a fully automated response, leads to a shorter incident response time. But speed is not a goal in itself in cybersecurity, nor is automation. The true objective is coming to an optimal solution in a given situation. And that often means an intervention on the security analyst\u2019s side since an automated response does not automatically translate into an optimal response. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1721724c091c224c054aab3f964d9ecb\"><a href=\"https:\/\/www.sumologic.com\/blog\/soar-doesnt-replace-humans-it-makes-them-more-efficient\/\">Security automation does not replace humans<\/a>; it is there to supplement their work. Optimal incident response requires sound judgment based on experience and evidence that allows you to do the right thing in a given situation. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-2150433ba28051aad2a37a11616c3314\">But automation is ideal for managing laborious and repetitive tasks such as alert triage, information gathering, and threat intelligence. With arduous, mundane, and numbing assignments out of the way, it is easier for analysts to use their problem-solving skills and expertise to focus on what counts the most: <\/p>\n\n\n\n<ul>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-6526e6d6cb6e9715fd82370535fa0dcb\">Address novel threats and challenges<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-40f6cfce2c65dcf1e133f8c763552339\">Overcome unforeseen or overlooked complications that might ambush the acting out of pre-established response procedures<\/p>\n\n\n\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-afaa0e39aa704b5a301def402e8e30e8\" id=\"sumo_logic\u2019s_soar_vision:_security_analysts_in_control\">Sumo Logic\u2019s SOAR vision: security analysts in control<\/h2>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-5564a093d5aa20769bc9811ba920b943\">Sumo Logic\u2019s SOAR, Cloud SOAR, allows analysts\u2019 expertise to shine by enabling them to orchestrate additional actions and processes according to their findings without leaving the platform. By \u201cadditional,\u201d we mean outside of a pre-established formalized response. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1a85b246375fdd7f5cf7f8a74bdb620f\">Once analysts respond effectively to an incident, improving and adjusting a standard procedure and playbook to handle a similar case in the future is a breeze.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a8e49c65ee23dff99f6e25924004e72c\">In addition, Cloud SOAR gathers and displays all the incident information in its war room and in the SecOps dashboard, analysts can find just value tasks where human control is fundamental. These two features provide across-the-board visibility, which is key to effective cybersecurity incident management. Security professionals like you can: <\/p>\n\n\n\n<ul>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-efd48805c379f2f1686da40512194cb6\">Assess various, unfamiliar, situations<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-ff0d64aab577d765ec6a310ab5fe0aa0\">Understand related incident events well<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c4b57771eb9f0920fba91ad8a7fa2d3b\">Settle on a plan of action via information sharing and close collaboration<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-19a1e34be09e307054413f2d6e306cfb\">Launch a response in real time<\/p>\n\n\n\n<\/li>\n<\/ul>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-6a9b9fff4198769bd546ec586ff0fb5d\">It can take time to connect the dots of all the incident-related information, go over the relevant details, communicate the findings with the rest of the team and organization, and come to an actionable conclusion. Indeed, this may postpone the response to a threat. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-3464407b2d764108c19ec5fa18f66800\">Nonetheless, making a data-driven decision backed up by expertise and including everyone concerned in the decision-making process makes for a much better response than blindly following a fast, pre-established response procedure.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-b7c98970829c5f572b778b26a37b1682\" id=\"conclusion\">Conclusion<\/h2>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-8c24b43def7c444748118b2512fb3710\">A well-developed, tested and proved incident response plan is vital in cybersecurity. It results in a quicker response time, but speed is not the only important element that SOCs and organizations should strive for. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-e7ac0a89d219dff7c5130d1bc0eb4153\">Human expertise, close team collaboration, and seamless communication may not always lead to the quickest response. They result in the optimal response.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-05d24cb0ad62233539986acccafc8d43\">Not everyone places as much emphasis on the human factor as Sumo Logic. Learn more in our <a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/www.sumologic.com\/guides\/soar\/\">ultimate guide to SOAR<\/a>.<br><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":121,"featured_media":0,"template":"","meta":{"_acf_changed":false,"show_custom_date":false,"custom_date":"","featured":false,"featured_image":0,"learn_more_label":"","image_alt_text":"","learn_more_type":"","show_popup":false,"learn_more_link_file":0,"event_date":false,"event_start_date":"","event_end_date":"","place_holder_image_url":"","post_reading_time":"5","notification_enabled":false,"notification_text":"","notification_logo":"","notification_expiration_time":0,"is_enable_transparent_header":false,"selected_taxonomy_terms":{"blog-category":[133,127],"blog-tag":[]},"selected_primary_terms":[],"learn_more_link":[],"featured_page_list":[],"notification_enabled_post_list":[],"_gspb_post_css":"","_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"4668,71369,71176","_relevanssi_noindex_reason":"","inline_featured_image":false,"footnotes":""},"blog-category":[133,127],"blog-tag":[],"class_list":["post-5003","blog","type-blog","status-publish","hentry","blog-category-cloud-soar","blog-category-secops-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/5003","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/users\/121"}],"version-history":[{"count":3,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/5003\/revisions"}],"predecessor-version":[{"id":26871,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/5003\/revisions\/26871"}],"wp:attachment":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/media?parent=5003"}],"wp:term":[{"taxonomy":"blog-category","embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog-category?post=5003"},{"taxonomy":"blog-tag","embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog-tag?post=5003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}