Automating Incident Response: Setting the Stage
Here is a very interesting article by well-known digital forensics superhero – Brian Carrier.
Many companies want to improve their incident response capabilities and make them more efficient. Automation is often touted as way to improve the response times, but what does automation (or orchestration) mean in DFIR? Can the entire process be automated? Do we want it to be?
To answer those questions, we need to think about incident response differently and this post is the first in a series that dives into what can be automated in DFIR and how to prioritize their implementation.
This content came out of a talk that I’m giving at the 2016 SANS DFIR summit. While I love the idea of short 30-minute talks (which we also do at OSDFCon), I realized that there was way too much content to cover in that short period. So, these blog postings will have the more complete discussion.
In this posting, we’re going to talk about why we’d automate, how other industries think about automation, and a framework for thinking about automation in IR. It should help you to start thinking about your process and where you should be focusing on automating it.