What impression do you get when you come across the term case management? Well, case management does not mean incident response; however, it is an important component.
Let’s create a clear picture with a common scenario. In an ABC company, the security operations center (SOC) analysts and incident response team are investigating a potentially malicious activity. They perform several searches to comprehend the nature and extent of that activity and determine if it poses a real risk. They struggle to organize the data gathered from their searches, which leads to difficulties in analyzing that data, resulting in erroneous assumptions. All they want is to collaborate and be able to access a centralized repository of documentation pertaining to ongoing investigations that can be managed in one place. This is where case management becomes essential.
Simply put, case management is a practice that enables security teams to accelerate investigations with accurate information and collected logs on a single platform.
Between March and April 2021, Aite interviewed 12 private independent SOAR vendors and reviewed their product capabilities for its research report, and Cyware was one of them. The Aite Impact Report highlights the SOAR market, vendors, and their product categories and capabilities with an aim to assist Aite clients in making better decisions when choosing a SOAR product.
Case Management: A Collaborative Process
Case management is a function of next-generation SOAR solutions that modern-day organizations must consider. An advanced SOAR platform features an element of case management that relies on both human-to-human and human-to-machine interaction. While human-to-human associations signify discussion and collaboration between team members, human-to-machine involvement revolves around the interactivity between the SOAR solution and security teams. As both security teams and tools progress in the same direction, the mean-time-to-respond (MTTR) for every case is reduced and case management workflow is streamlined. Furthermore, an organization can allocate specific roles to different security professionals who add value to its team.
A Single Pane of Glass
SOAR solutions provide case management, allowing security analysts to create a case to further investigate an incident. It is an integral component of a SOAR solution as it acts as the repository of investigation outcomes. The unique feature of case management is that it allows security analysts to add artifacts to a case, for instance, a suspicious email from a suspected phishing cyberattack.
Case management provides a path for collaboration, authorizing a security analyst the capability to invite other security personnel or individuals outside his/her organization to give their opinion or examine artifacts relevant to a case.
Some SOAR vendors refer to this avenue of collaboration as a war room and they create command centers or on-demand war rooms to stimulate incident response. Basically, case management involves the collection and protection of digital forensics data concerning a case. Advanced SOAR solutions have the ability to identify the situation when multiple analysts are investigating the same incident, thereby consolidating cases to eliminate effort duplication and considerably save time. This allows analysts to handle their cases in a workbench environment, wherein all the activities occur in a single place without having to leap between disparate security tools to scrutinize and respond to incidents. That is why this work area is commonly referred to as a “single pane of glass.”
Let’s Understand Cyware’s Case Management Capabilities
Cyware designed Cyware Fusion and Threat Response (CFTR) and Cyware Security Orchestration Layer (CSOL) as its SOAR solution to address sophisticated threats. While CFTR is a threat response automation platform that amalgamates cyber fusion and advanced SOAR capabilities, CSOL is a security orchestration gateway that allows you to execute on-demand or event-triggered tasks across different environments at machine speed. Case management is one of the key features that exist within CFTR and CSOL.
If you are looking for a SOAR platform to take case management to new operational heights, CFTR layered with CSOL, is the right choice for you. CFTR lets you create a single pane of glass view for SOC, threat hunting, threat intelligence, and incident response teams to collaboratively observe, align, determine, and act against threats. This platform allows SOC teams to coherently handle several related threats or incidents from a single dashboard, leveraging appropriate threat intelligence ingestion, streamlined workflow automation, and comprehensive campaign management to minimize noise, false alarms, and overall MTTR. On the other hand, CSOL supports “any-to-any” tool orchestration across various deployment environments with automated playbooks, flexible APIs, and full customization features. A key aspect of Cyware’s case management capabilities is that it complies with the NIST SP 800-61 Computer Security Incident Handling Guide.
In a Nutshell
A modern-day SOAR platform equipped with case management capabilities empowers security analysts to share any case with other collaborators. Every collaborator can append evidence and additional notes to speed up the detection and response process. All their activities can be tracked as a component of the case history, giving out real-time updates and a tamper-proof audit chain. Moreover, case management allows organizations to significantly enhance their efficiency and maturity of incident response capabilities and security operations.