Behind the Scenes with the First Responders: An Inside Look at Our New Fully Managed Incident Escalation Service
by Chris Triolo
category Cybersecurity Analysis
tags incident management escalation matrix template, incident management escalation process, itil incident management escalation, types of escalation in incident management
Here at Respond Software, we talk a lot about how our software serves as a force multiplier for our customers’ internal security teams. When machines and humans work together, with each performing the tasks for which they’re best suited, the results—and the overarching benefits—can be extraordinary.
The First Responder Service is our newest offering, though the security operations professionals who staff it are some of the most experienced people in the industry. They’ve helped build and run Security Operations Centers (SOCs) at some of the biggest companies on the planet, and are excited to partner with members of our customers’ security teams to help them transform their SecOps programs into world-class operations.
Inside the First Responder Service Center, we’re hard at work assisting our customers—even those with tiny security teams—to ensure they’ll derive maximum value from our product. We do this by enhancing a critical three-way relationship that’s essential for building a top performing security program that combines the speed and consistency of machines with the creativity and intelligence of humans. This partnership includes the Respond Analyst, our customer’s security team, and our expert First Responders.
The golden triangle: software + humans + readily available expert support
Each partner has a mission-critical role to play in responding to every incident, so we collaborate to draw out and supplement the best parts of our customers’ expertise. Along the way, we maximize the successes of our customers’ security programs and enhance the value they gain from their IT security infrastructure investments.
The Respond Analyst’s intelligent decision engine works at machine speed to analyze security event data from all available sources across your environment, scoping and prioritizing the most important incidents. The customer’s security team monitors the Respond Analyst’s escalations, and contacts our on-call service center whenever a question about an incident arises. The First Responder team is standing by, ready to take your call, to listen to your description of the incident, to ask the right questions, and to advise, guide, and support you in responding to the incident.
The First Responder Service in action
Here’s how it works in practice: typically email requests are answered in person and immediately. We take pride in our technical team’s availability and responsiveness. Bridging the gaps between people and software is what we do best, and we’re happy to share our expertise, build relationships—and have some meaningful conversations along the way.
We provide 24x7 infrastructure health monitoring for all of our customers, and with the premium-level support that’s included in the First Responder Service, we’ll proactively reach out to you if our team is alerted to an incident that may have a critical impact on your IT environment.
Most of the calls we handle are initiated by the customer, however. When the phone rings, we’re ready to talk, ask questions, and help you understand the severity of the incident you’re confronting and what actions you need to take.
Each conversation usually proceeds through three phases:
#1: General discussion of the incident.
The questions we ask here include: What happened? Which systems were involved? How did it happen? What are the risks involved? What are the potential impacts to the business? How does this compare to known attack methods? What evidence have you collected that makes this look real?
#2: Specific, customized remediation advice.
During this phase of the call, we’ll discuss: What else should be investigated? Which—if any—additional data sources should your team consult? What remediation actions should you take right now? What specific steps or procedures should you follow? What additional actions should be taken later?
#3: Ongoing dialogue about the health of your deployment.
We’re constantly striving to improve the Respond Analyst’s performance. Often this means adding more data sources for it to ingest so that its decision-making can be better informed because it has additional context. So we like to ask: What could we be doing better?
After the initial contact, we remain available for follow-up, to answer questions that may arise in the future, and to offer ongoing support to your team. Members of our First Responder team report that they feel good about their jobs. They enjoy teaching other security analysts how to make the best possible use of the Respond Analyst, and they’re always happy to share their expertise.