When you hear security orchestration, automation and response (SOAR), case management isn’t typically the first thing that comes to mind. But case management is a fundamental component of a sophisticated SOAR platform and is where it truly comes to life for a security team.
SOAR platforms consolidate disparate tools and run complex automated workflows. However, effective case management takes things a step further by giving security analysts access to a single case record view to analyze dynamically and interact with all data and components related to an incident.
What is Case Management?
Case management involves the collection, analysis, enrichment and response to security-related alerts and events in a single collaboration hub. Threats are identified and prioritized based on their risk level. Depending on the severity of the threat, the SOAR platform can automate the incident response process or alert SOC analysts for human intervention. Robust case management capabilities will also provide additional context, such as past similar alerts.
Case management is a key component of any modern SOAR platform. Here are the top characteristics your SOAR should include for worthwhile case management:
Ease of Use
SOAR platforms should deliver rapid, automated insights by centralizing alert data from multiple sources. Those insights should be presented in an easy-to-understand visual format. Ease of use is critical.
The ideal scenario includes the ability to incorporate visualization directly within the individual case record, including views pulled in from third-party systems to facilitate incident resolution and enable analysts to work within standardized processes.
Enriched Incident Data in Real-time
There are only so many hours in a day. Analysts shouldn’t spend most of their time gathering information manually. Instead, a modern SOAR platform analyzes and enriches incident data in real-time to speed up the human decision-making process.
It recognizes alerts from multiple sources and is able to analyze them for similarities. When severe alerts arise from a single event, a SOAR platform should automatically add them to a single case, keeping the team from duplicating efforts and hunting for details in various places.
This streamlines case management, allowing analysts to manage more cases in less time.It also helps analysts institutionalize business processes that can ensure compliance standards are maintained.
Automated Detection & Analysis Across Tools
Rather than acting only as an evidence locker, a SOAR platform should also provide dynamic case management that combines automation, orchestration and analyst activities. While overlapping security tools may be unavoidable, the security team shouldn’t have to toggle between different tools and technologies to respond to and remediate an alert—even when there are many alerts for a single threat.
From any record, an analyst should be able to instantly execute an array of correlated investigatory actions specific to that case. For example, your security analysts should be able to easily view the details of an attack targeting a single endpoint. From that individual case record, they can then initiate a search using your security information and event management (SIEM) or endpoint detection and response (EDR) to locate any other devices that may have also been targeted by the same attack—without ever having to leave the original case record.
SOC analysts jump between countless tools to respond to threats. While they might be an expert in some SOC tools, it’s impossible to be an expert in every tool in every security stack. A SOAR platform’s case management should make it easy to perform basic actions in a single location.
One-click remediation triggers basic actions, such as disabling a user or isolating a host. Analysts won’t need to be experts in all the SOC tools to take action where it’s needed. With robust case management, several actions can be triggered in a single tab, as seen above.
Communication plays a crucial role in both proactive threat hunting and incident response within the security operations center (SOC). Security teams need to clearly and quickly relay information about cases to other analysts and engineers within the team. That’s why a modern SOAR platform acts as a collaboration hub for anything and everything security-related.
You should expect inline chat for internal communication, as well as integrations with communication tools to bring external stakeholders into the conversation. It’s important that the SOAR platform brings humans into the loop to stop threats faster and more effectively.
In addition to automation and orchestration, SOAR platforms should capture relevant, real-time and enriched incident data to drive case management and speed up investigations. Don’t forget that a SOAR solution’s case management capability should also be fully interactive and tightly integrated with your incident response workflow. This ties together the entire incident response process, resulting in a dynamic defense that can adapt to address an infinite number of relevant use cases and keep your organization more secure.
Gartner: 2022 SOAR Market Guide
Are you struggling to keep up with the evolving threat landscape? Plagued with staffing shortages and overworked teams? Organizations continue to adopt SOAR solutions to address these key challenges. Download the 2022 Gartner Market Guide for SOAR to learn more.