Emerging paradigms of attack challenge enterprise cybersecurity with sophisticated custom-built tools, unpredictable patterns of exploitation, and an increasing ability to adapt to cyber defenses. As a result, organizations continue to experience incidents and suffer losses. The responsibility to respond to cybersecurity incidents lies with the incident response (IR) function. We argue that (1) organizations must develop ‘agility’ in their IR process to respond swiftly and efficiently to sophisticated and potent cyber threats, and (2) Real-time analytics (RTA) gives organizations a unique opportunity to drive their IR process in an agile manner by detecting cybersecurity incidents quickly and responding to them proactively. To better understand how organizations can use RTA to enable IR agility, we analyzed in-depth data from twenty expert interviews using a contingent resource-based view. The results informed a framework explaining how organizations enable agile characteristics (swiftness, flexibility, and innovation) in the IR process using the key features of the RTA capability (complex event processing, decision automation, and on-demand and continuous data analysis) to detect and respond to cybersecurity incidents as-they-occur which, in turn, improves their overall enterprise cybersecurity performance.

新兴的攻击范例以复杂的定制工具，不可预测的利用模式以及不断增强的适应网络防御的能力，对企业网络安全提出了挑战。结果，组织继续经历事件并遭受损失。响应网络安全事件的责任在于事件响应（IR）功能。我们认为（1）组织必须在其IR流程中发展“敏捷性”，以快速有效地应对复杂而强大的网络威胁；（2）实时分析（RTA）为组织提供了一个独特的机会来推动其IR流程快速检测网络安全事件并主动做出响应，从而以一种敏捷的方式。为了更好地了解组织如何使用RTA来实现IR敏捷性，我们使用基于资源的偶然性观点，分析了来自二十位专家访谈的深入数据。结果为一个框架提供了解释，该框架解释了组织如何使用RTA功能的关键功能（复杂事件处理，决策自动化以及按需和连续数据分析）在IR流程中实现敏捷特性（敏捷，灵活和创新）并对发生的网络安全事件做出响应，从而提高了其整体企业网络安全性能。