What a SOAR platform’s case management capability should include
Effective case management takes things a step further by giving security analysts access to a single case record view to analyze dynamically and interact with all data and components related to an incident.
When you hear security orchestration, automation and response (SOAR), case management isn’t typically the first thing that comes to mind. But case management is a fundamental component of a sophisticated SOAR platform and where it truly comes to life for a security team.
SOAR platforms consolidate disparate tools and run complex automated workflows. However, effective case management takes things a step further by giving security analysts access to a single case record view to analyze dynamically and interact with all data and components related to an incident.
Ease of use
SOAR platforms should deliver rapid insights gleaned by centralizing alert data from multiple sources, and those insights should be presented in an easy-to-understand visual format. Ease of use is critical. The ideal scenario includes the ability to incorporate visualization directly within the individual case record, including views pulled in from third-party systems to facilitate incident resolution and enable analysts to work within standardized processes.
#SOAR platforms should capture relevant, real-time and enriched #incident data to drive case management and speed up investigations.
A #SOAR solution should recognize alerts from multiple sources and be able to analyze them for commonalities.
Enriched incident data
A SOAR solution should recognize alerts from multiple sources and be able to analyze them for commonalities. Copy and paste should no longer be the norm when trying to consolidate data from disparate tools. When sever alerts arise from a single event, a SOAR platform should automatically add them to a single case, keeping the team from duplicating efforts and hunting for details in various places. This streamlines case management, allowing analysts to manage more cases in less time.
Dynamic interaction with all data and related actions
Rather than acting only as an evidence locker, a SOAR platform should also provide dynamic case management that combines automation, orchestration and analyst activities. While overlapping security tools may be unavoidable, the security team shouldn’t have to toggle between different tools and technologies to respond to and remediate an alert—even when there are many alerts for a single threat. From any record, an analyst should be able to instantly execute an array of correlated investigatory actions specific to that case. For example, your security analysts should be able to easily view the details of an attack targeting a single endpoint. From that individual case record, they can then initiate a search using your security information and event management (SIEM) or endpoint detection and response (EDR) to locate any other devices that may have also been targeted by the same attack—without ever having to leave the original case record.
In addition to automation and orchestration, SOAR platforms should capture relevant, real-time and enriched incident data to drive case management and speed up investigations. Don’t forget that a SOAR solution’s case management capability should also be fully interactive and tightly integrated with your incident response workflow. This ties together the entire incident response process, resulting in a dynamic defense that can adapt to address an infinite number of relevant use cases and keep your organization more secure.
*** This is a Security Bloggers Network syndicated blog from Swimlane (en-US) authored by Sydni Williams-Shaw. Read the original post at: https://swimlane.com/blog/soar-case-management/
