Incident response systems

IRP (Incident Response Platform) and SOAR (Security Orchestration, Automation and Response) systems are tools that the bank uses to formalize incident response processes: from recording to recovery.  The platforms integrate with SIEM, DLP, EDR, IAM, firewall and other systems, ensuring automatic execution of playbooks (instructions) when threats occur.

Key functions:

• Detection of incidents through signals from SIEM, IDS/IPS, EDR and other sources;
• Classification by criticality, type, impact area and potential damage;
• Automatic execution of reactions: host isolation, IP blocking, access revocation, etc.;
• Launch of notification, investigation, escalation and documentation procedures;
• Incident lifecycle management;
• Storage of response history, reporting, RCA (root cause analysis) support;
• Integration with external CERT/SOC and compliance with NIST, ISO 27035, SWIFT CSP standards.

Who works with the system inside the bank:

• SOC / CSIRT (operational response team)
• Information security service
• IT infrastructure and DevSecOps
• Internal audit and risk management service
• Digital team and system owners (in case of incidents in business products)

System owners:

• Chief Information Security Officer (CISO) - strategic response
• SOC manager - operational management and analysis
• CIO/CTO - infrastructure, integrations, recovery SLA