Incident Response: Whose Job is It?

Hacking red and blue digital binary code matrix 01 background. Hacker, dark web, matrix, Digital data code in safety security technology concept. 3D rendering

Effective Incident Response (IR) always involves the IT security professionals who know their business and cybersecurity posture best. But whose job is it to actually respond to incidents, and what are the best practices?

Defining “Response”

“Incident Response” is an ambiguous term that cybersecurity vendors and IT pros use loosely and sometimes end up speaking past each other. It’s important to remember that “response” comes in multiple stages. When it comes to cybersecurity monitoring, the Department of Homeland Security mantra of “See Something? Say Something!” applies. The first step is to ensure visibility with wide attack surface coverage, deep threat intelligence, and smart incident correlation.

With effective Detection in place, Incident Response is the "Say Something" part; and we'd add "Do Something." Technically speaking this consists of:

  • Alert Escalation
  • Threat Isolation
  • Risk Eradication
  • Analysis & Recovery

These are what we consider the three stages of Incident Response:

Who Owns Response?

No single party can effectively own response in its entirety. The organization impacted is ultimately held responsible, and there is no outsourcing that fact. However, your trusted cybersecurity partner should work with you to create an Incident Response playbook to determine swim lanes of responsibility.

Beyond that, it takes a village to respond and identify who is best to do which role in IR.

We propose that 24x7 Managed Extended Detection & Response (MXDR) provider be responsible for monitoring, aka “See Something,” as well as for the initial response - “Say Something”… and even some of the “Do Something.” The capabilities of MXDR help to identify threats sooner with always-on monitoring, proactive threat hunting, and automated and guided remediation paired with wide attack surface coverage. The organization’s MSP should be responsible for further action, hands-on system changes and updating policies to prevent further occurrences.

Incident Response Best Practices

Optimize detection and response with these practical steps:

1.) Enlist 24x7 Managed Detection & Response Professionals 

Managed security providers like Netsurion learn your environment, monitor it closely, and offer guided threat response. Consider a combination of skilled security analysts and an open XDR platform to accelerate and optimize your IR response rates. Furthermore, enlist partners for hands-on Digital Forensics and Incident Response (DFIR) should a breach occur.

2.) Leverage Automated Incident Response as a Force Multiplier 

Automated response capabilities use workflows to take immediate triage actions, automate remedial tasks, and orchestrate activity between multiple systems. For example, an automated response workflow could include:

  • Terminating unknown processes immediately
  • Monitoring propagation of suspected malware
  • Suspending accounts that violate policies
  • Generating an incident report in your management platform

3.) Share the Load

By working with a dedicated Managed XDR partner who guides you through defining your SecOps runbook and Incident Response playbook, you can free up your team to work on other projects while being ready to respond to cybersecurity incidents quickly and efficiently.

Netsurion Brings it all Together

Netsurion offers both automated response by our Open XDR platform and guided remediation by our 24x7 SOC. Our SOC experts work with you to create a more efficient response that uses less of your organization’s resources. Learn more about Netsurion Incident Response and check out “Four Key Steps to Rapid Incidence Response.”

Reach out to us at to learn more about how we can help manage your Incident Response.

Read more Netsurion guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.