Managing incidents using the techniques you have learned in this chapter requires that you collect and deal with a substantial amount of information. Improve your team’s performance and make the entire process smoother by identifying and acquiring the right tools to help run the process. Two basic types of tools can aid in your work. The first type helps manage the CSIRT’s activities and gather information about the incident response process. The second type collects information about the incident itself. You’ll learn about several tools of both types in this section.

CSIRT process management tools help team members collect and organize information about managing incidents. These tools assist the CSIRT with the normal, day-to-day responsibilities of managing the information flow and status of current and historical incidents. These CSIRT responsibilities include:

• Tracking incidents

• Reporting on incidents

• Archiving incident reports

• Communicating incident information

You can find a growing number of software packages specifically designed to help CSIRTs manage the process of incident response. In the past, most of the process of handling incidents was manual. New software tools are emerging that attempt to automate some of the tasks required to respond to incidents. These new tools are collectively called Security Orchestration, Automation and Response (SOAR) tools. SOAR tools help CSIRT teams coordinate information from multiple sources, automate initial Incident Response (IR) tasks, and organize the steps to effectively respond to incidents. TABLE 13-5 lists some incident process management tools.