The incident response doesn’t have to be automated. However, software that independently triggers actions upon detection of an intrusion or malware activity is becoming more available. This type of incident response system is called SOAR, which stands for “Security Orchestration, Automation, and Response”.

SOAR systems connect attack identifiers through analysis utilities and on to defense systems that shut down the attack and reverse and damage that occurred. SOAR is almost synonymous with an Intrusion Prevention System (IPS). However, SOAR integrates another leading attack detection standard: SIEM.

Here is our list of the seven best incident response tools:

  • SolarWinds Security Event Manager EDITOR’S CHOICE A SIEM tool that includes analysis and action triggers that make it an incident response tool. Start a 30-day free trial.
  • ManageEngine Log360 (FREE TRIAL) This SIEM generates notifications to service desk systems for incident response. Runs on Windows Server. Start a 30-day free trial.
  • AT&T Cybersecurity USM Anywhere A full cloud-based SOAR service built around AlienVault OSSIM.
  • Splunk Phantom An attack investigation system and response automation tool. This system plugs in as an add-on to the standard Splunk tool or any other SIEM system.
  • CrowdStrike Falcon Insight A hybrid solution that supports attack detection by coordinating event data gathered from every endpoint on a network.
  • Exabeam A SaaS security platform that includes a SIEM, analytics, and automated incident response.
  • LogRhythm SIEM A next-gen SIEM platform that includes user and entity behavior analytics, threat hunting, and a SOAR.

SIEM stands for “Security Information and Event Management”. It forms the detection part of SOAR and relies on two strategies: security information management, which examines log files for signs of malicious activity, and security event management, which examines traffic patterns on a network and other live indicators.

As SIEM is a major part of SOAR, the vendors of SIEM tools are at the cutting edge of SOAR, expanding their expertise into the fields of threat analysis and incident response. The other big players in the field of incident response are the producers of antivirus systems. These companies have long been in the business of seeking out malware and removing it. To provide a full incident response tool, they just need to add the defense against hacker activity and intrusion to their armory.

The best incident response tools

Although industries are often overturned by disruptive and innovative newcomers, established and experienced businesses that adapt their expertise to new techniques generally prevail. In the field of incidence response, software houses that have a strong background in cybersecurity systems offer the best incident response tools.

Using this set of criteria, we looked for a range of incidence response services that will integrate with the security services that already operate on your network.

Our methodology for selecting an incident response system

We reviewed the market for incident response tools and analyzed the options based on the following criteria:

  • Links from detection to resolution systems
  • Coordination with access rights managers and firewalls
  • Customizable action rules
  • Action logging
  • Live status reports
  • A free trial or a demo option for a risk-free assessment opportunity
  • Value for money that is provided by an automated system at a reasonable price

1. SolarWinds Security Event Manager (FREE TRIAL)

SolarWinds excels at system monitoring and it approached its incident response tool development from that starting point. Despite being called the Security Event Manager (SEM), this tool is a Security Information Manager (SIM). It searches through log files to identify possible malicious activity. This puts the tool in the SIEM category of security solutions and SolarWinds has pushed the boundaries of this format to reach into incident response territory.

Key Features:

  • On-premises for Windows Server
  • Threat prioritization
  • Customizable rules
  • Integrates with Active Directory
  • Connects to firewalls

SolarWinds includes a module with SEM that is called Active Response. This is the final phase in making SEM a full incident detection and response service. The SIM detects anomalies and refines threat priorities, providing a triage service through an alerting mechanism. An alert can be left to just inform an operator who is then in a position to decide on mitigation actions. However, if Active Response is turned on, a lot of the manual labor of responding to events can be wiped out.

Active Response is a rule base of triggering events and actions – Trigger A launches Action X. Letting a system tool implement response might be considered a danger. However, those action rules are customizable and the operator can decide how far the SEM should go in running the response system. The types of actions that the SEM can launch include launching a trace, suspending a user account in Active Directory, or updating a firewall table to block access from a specific IP address. All of these actions can be reversed because they are all documented.

The software for SolarWinds Security Event Manager installs on Windows Server. You can put it through its paces with a 30-day free trial.

Pros:

  • Offers both incident response tools as well as automated remediation and prevention
  • Enterprise focused SIEM with a wide range of integrations
  • Simple log filtering, no need to learn a custom query language
  • Dozens of templates allow administrators to start using SEM with little setup or customization
  • The historical analysis tool helps find anomalous behavior and outliers in the network

Cons:

  • SEM Is an advanced SIEM product built for professionals, requires time to fully learn the platform

EDITOR’S CHOICE With SolarWinds Security Event Manager you will never miss a security event anywhere on your network. SEM is also great for responding to threats in real time with the Active Response module where you can set rules to trigger actions. A must have tool. Start 30-day Free Trial: solarwinds.com/security-event-manager/use-cases/incident-response-software OS: Windows Server

EDITOR’S CHOICE

With SolarWinds Security Event Manager you will never miss a security event anywhere on your network. SEM is also great for responding to threats in real time with the Active Response module where you can set rules to trigger actions. A must have tool.

Start 30-day Free Trial: solarwinds.com/security-event-manager/use-cases/incident-response-software

OS: Windows Server

2. ManageEngine Log360 (FREE TRIAL)

ManageEngine Log360 is an on-premises SIEM that collects data from multiple systems and searches through a pool of log messages for indicators of an attack. The tool doesn’t implement response directly but sends notifications through service desk systems to get the immediate attention of system technicians.

  • Searches sites and cloud platforms
  • Consolidates log formats
  • Threat detection
  • Log management

The Log360 package includes a library of agents – one for each operating system and also for cloud platforms, such as AWS and Azure. You install the agents on each endpoint and cloud account. It then collects all log messages from the operating system and software packages. The tool gets Windows Events from Windows systems and Syslog messages from Linux. The agents can interact with more than 700 software packages to extract operational data.

The agents forward log messages to a central log server. This converts all arriving messages into a standard format. With the logs standardized, they can be collected together in the Log360 data viewer and also in log files. The log server manages log storage, rotating files and storing them in a meaningful directory structure. This is important because logs need to be accessible for compliance auditing if you need to be certified for a data protection standard. The Log360 package includes compliance reporting for HIPAA, PCI DSS, FISMA, SOX, GDPR, and GLBA.

The dashboard shows live statistics on log message throughput and the results of the threat detection scans. The console has a data viewer that shows log messages as they arrive. It is also possible to load in a log file. The data viewer includes tools for analysis.

ManageEngine provides a threat intelligence feed that collates information about hacker attacks and intrusion events that are happening all over the world. Getting information on the current attack strategies gives the threat hunting function in Log360 a better idea of what to look for. The system deals with a large volume of data that is added to constantly and getting directions on what to look for first speeds up the threat detection process.

When the threat hunter in Log360 discovers suspicious activity, it generates an alert. You can view alerts in the dashboard but it is also possible to get them fed through to your service desk system. The tool can work with  ManageEngine ServiceDesk Plus, Jira, and Kayoko. The priority given to Log360 within your service desk system is up to the policy that you set up in the team management tool. You can decide to route Log360 alerts to specific team members and also add a priority rating.

The server for ManageEngine Log360 installs on Windows Server. You can assess the package with a 30-day free trial.

  • Consolidates logs from many sources

  • Collects Syslog, Windows events, and application logs

  • Routes notification through service desk systems

  • Compliance reporting

  • No server software for Linux

ManageEngine Log360 Start 30-day FREE Trial

3. AT&T Cybersecurity USM Anywhere

Up until recently, this system security package was called AlienVault Unified Security Management. AlienVault was acquired by AT&T in 2018 and the new owners have retired the old AlienVault brand.

  • Cloud-based
  • Based on OSSIM
  • Proactive system hardening

USM Anywhere is the paid version of the widely praised free open source AlienVault OSSIM – AT&T left the AlienVault name on that product. OSSIM standards for “open source security information management”. It is a widely-used SIEM tool and it forms the core of USM Anywhere.

The OSSIM section of USM Anywhere is a data gatherer and threat analyzer. The service searches through log files and scans network traffic looking for signs of malicious activity. With USM Anywhere, the system monitoring features of OSSIM are heightened with hardware and software asset discovery plus inventory management starting off the whole process. The SIEM system consolidates and files log messages, providing access to those records through a viewer that includes sorting and search facilities.

USM Anywhere adds vulnerability assessment algorithms to its network scanning routines. The asset management and vulnerability scans enable system managers to become aware of configuration weaknesses that can be dealt with in order to harden the system.

System monitoring is controlled from AT&T servers in the cloud. The service is able to protect all of the assets of a subscribing business, including multiple locations and also AWS and Azure cloud servers.

USM Anywhere is a SOAR because it includes data gathering from third-party sources, threat intelligence feeds, threat prioritization, and automated responses, which include interaction with other services, such as firewalls. The threat intelligence feed comes from the Open Threat Exchange (OTX), an AlienVault-managed, crowd-provided threat information platform.

This is a cloud service that includes storage space and a reporting engine as well as cybersecurity services. Report templates that are formatted for data security standards are included in the package. AT&T Cybersecurity USM Anywhere is a subscription service with three editions: Essential, Standard, and Premium. The main difference between these plans lies in the data retention period. The Essentials plan doesn’t include automated incident response mechanisms or interaction with third-party utilities for orchestration.

  • Available for Mac and Windows

  • Can scan log files as well as provide vulnerability assessment reports based on devices and applications scanned on the network

  • User powered portal allows customers to share their threat data to improve the system

  • Uses artificial intelligence to aid administrators in hunting down threats

  • Would like to see a longer trial period

  • Would like to see more integration options into other security tools

4. Splunk Phantom

Splunk Phantom is a SOAR system and it is part of a wider platform that is called Splunk Security Operations Suite. Automated incident response is included in the Splunk Phantom functionality.

  • On-premises or cloud
  • Response playbooks
  • Guided root cause analysis

Central to the Splunk Phantom system is a concept of “playbooks”. These are automated workflows that create process chains to detect anomalies by deploying a selection of available tools. Workflows include conditional branching that can lead to the launch of mitigation actions. These workflows can be launched manually or set to run continuously on a loop, looking for problems.

The user can assemble custom playbooks through a graphical editing screen. The designer looks like a flowchart editor. Each box in the playbook represents a process. Flows can branch and create separate threads that run simultaneously.

Incident responses don’t have to be launched automatically. The Phantom system includes a collaboration module that supports incident management. This note maker system helps teams explore the output of an investigative playbook.

Phantom Mission Guidance is an intuitive guide for analysis. This system makes suggestions of possible explanations for discoveries, prompting further analysis to confirm or rule out a possible scenario.

Phantom doesn’t automatically monitor systems. You need the main system of Splunk as a data source. However, if you don’t want to pay out for two tools, you can get the free version of Splunk. There isn’t a free version of Splunk Phantom. Splunk and Splunk Phantom can be installed on Windows, Linux, macOS, FreeBSD, Solaris 11, and AIX.

  • Offers root cause analysis for faster remediation

  • Managers can design threat playbooks – great for bringing new team members up to speed

  • Supports Windows, Linux, macOS, and a variety of other environments

  • Supports a free version – great for testing

  • Better suited for enterprise networks

5. CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is an incident response service. This is a human-based consultancy that can be contracted to clean up after a security breach. Customers are only likely to contact that service when they find out that they have already had a security incident.

  • Hybrid system
  • Coordinates events on endpoints
  • Will run on offline endpoints
  • Technical response team

The tools that the technicians of CrowdStrike’s Incident Response team use are also marketed to businesses as part of a suite of security software, called CrowdStrike Falcon.

CrowdStrike Falcon is a security platform. It includes many elements, each of which covers a different aspect of infrastructure or service for security research. The modules in the Falcon platform all work together in order to completely protect a system.

Falcon Insight is an Endpoint Detection and Response service (EDR). This is an evolved antivirus system. However, it doesn’t replace an AV because it the Falcon suite includes a net-gen AV, called Falcon Prevent. Falcon Insight’s specialized role is to coordinate defense strategies between many endpoints on a network.

The Falcon platform combines on-premises software and a cloud-based element that creates a dual focus for security services. The installed element is what would pass for an antivirus system. The advantage of having the software installed on each endpoint is that it can continue to work even if the internet connection goes down or if there is a problem with the network. The cloud part of the service aggregates data from all endpoints on a site to create a view of network activity. Falcon Insight bridges between these two elements.

The endpoint software provides immediate protection while the central data consolidator acts as a SIEM tool, analyzing event records uploaded by the endpoint agents to look for patterns of behavior that would indicate an intrusion or some other type of system-wide attack. The central Falcon service also updates all endpoints with new detection strategies, so the coordination of many instances creates a security network.

Falcon Insight works in concert with other elements in the platform to create a SOAR. The priority task of Falcon Insight in this team project is to identify and prioritize potential threats. This is known as “triage” in incident response. It cuts mitigation time by identifying the most likely point of the activity that could spread further, enabling defense strategies to home in on the location of a new attack.

CrowdStrike markets the Falcon platform in packages. Every package includes Falcon Prevent, the next-gen antivirus system. The four plans offered by CrowdStirke are Falcon Pro, Falcon Enterprise, Falcon Premium, and Falcon Complete. Every one of these editions except for Falcon Pro includes Falcon Insight.

Overall, each element in the suite of services in the platform has its own specialist methodologies and the combination of these creates a unified security service that is stronger than the sum of its parts.

Falcon Insight combines the traditional activities of an AV and a firewall that protect a device with the data scanning features of a SIEM tool. This is an imaginative reinterpretation of pre-existing technologies that provides a hardened defense system through a platform strategy.

The Falcon plans are charged for by subscription with a rate per endpoint per month. You can get 15-day free trial of the Falcon system, although this only includes Falcon Prevent.

  • Doesn’t rely on only log files to threat detection, uses process scanning to find threats right away

  • Acts as a hybrid SIEM/SOAR product

  • Can track and alert anomalous behavior over time, improves the longer it monitors the network

  • Can install either on-premise or directly into a cloud-based architecture

  • Lightweight agents won’t slow down servers or end-user devices

  • Would benefit from a longer trial period

6. Exabeam

Exabeam is a security operations suite that is based on a SIEM. The service is hosted and so you also get the processing power and storage space on the Exabeam servers. The SIEM requires data collection agents to be installed on-site. These collect log messages and upload them to the Exabeam server. This source data is collated and unified into the Exabeam Data Lake, which is the source for both the SIEM and analytical functions in the Exabeam console.

  • Cloud-based
  • Implements SOAR
  • Response playbooks

The security suite includes a User and Entity Behavior Analytics (UEBA) module, called Exabeam Advanced Analytics, which is an AI-based machine learning process that examines typical activity to set a benchmark and then identify deviations from that norm.

Incident responses can be launched manually through the console, or set to run automatically through Exabeam’s SOAR mechanism. The Exabeam Incident Responder is based on “playbooks”. These are workflows that define actions to be launched on the detection of a particular event. Playbooks can also create action guidance for manual response workflows. Completion of each step in a playbook is logged, providing an audit trail for compliance reporting.

Exabeam offers good value for the money and excellent closed-loop services by combining the UEBA and SOAR systems together with the SIEM – many rival products charge separately for each module.

As it is an online service, you don’t need to worry about maintaining software. The console is accessed through any standard browser. Exabeam also offers an archiving service that can be added to an Exabeam package to hold logfile archives.

The Exabeam SaaS is available on a free trial.

  • Supports incidents response workflows, playbooks, and automation

  • Offers usefully query features for filtering large datasets

  • Can be used for compliance reporting and internal audits for HIPAA, PCI DSS, etc.

  • Offers data archiving as a service – great for companies looking to record their threat data

  • The interface could use improvement – simpler layout, better graphing, etc.

7. LogRhythm SIEM

LogRhythm NextGen SIEM Platform provides modules of services to detect and shut down security threats. The system includes live monitoring tools that provide an extra service to users while also gathering information to feed into the SIEM. These are NetMon for network monitoring and SysMon for endpoint monitoring. SysMon also gathers log messages to upload to the LogRhythm server. The receiving log server is called AnalytiX.

  • Cloud-based
  • Uses SOAR
  • Remediation workflows

AnalytiX offers a data viewer with rudimentary analysis tools such as searching and sorting. The final two modules of LogRhythm SIEM are DetectX, which is a threat hunting system, and RespondX which is a SOAR. The automated incident response services are contained in RespondX. Subscribers to LogRhythm have the option of upgrading DetectX by adding UserXDR, which is a user and entity behavior analytics system to refine anomaly detection.

RespondX, as a SOAR, is able to interact with third-party tools, such as firewalls to implement lockdown routines. The core incident response module of the SOAR is called SmartResponse Automation. This offers a workflow option that will trigger automatically according to pre-set or customized rules.

LogRhythm is available as a cloud-based service. It can also be acquired for installation on-premises with software that runs on Windows Server. LogRhythm can also be delivered as a network appliance.

  • Uses simple wizards to setup log collection and other security tasks, making it a more beginner-friendly toolSleek interface, highly customizable, and visually appealingLeverages artificial intelligence and machine learning for behavior analysisDoes an excellent job at live data processing

  • Would like to see a trial option

Choosing an incident response tool

A good source of incident response tools comes from SIEM suppliers who have expanded their core product to create SOAR platforms. This other main category of incident response tool suppliers lies with cybersecurity service companies that offer attack mitigation services. The technicians of these businesses developed in-house tools for their jobs and many of those also get released to the wider business community. Exploring all sources of security software, we have identified some very good options.

  • Prepare
  • Identify
  • Contain
  • Eradicate
  • Restore
  • Learn
  • Test and Repeat