SOC Capability Area #18) Case Management

First, what is a “case”? Over-simplifying things for brevity, and focusing strictly on digital “incident management”, a “case” is basically a logical collection of cyber incidents and/or suspicious activity that demand a more formal and comprehensive investigation. Perhaps resulting from, but certainly involving, some level of digital forensics analysis as described in an earlier article.

This could be a situation that demands a legal (e.g., cyber fraud) or counter-intelligence (e.g., espionage) type of investigation. Such investigations typically require some type of “analyst’s notebook” or formal Case Management System (CMS) capability, that goes beyond basic incident response workflow, to coordinate the broad range of staff and legally-defensible investigative activities. Integrating directly with a suite of Digital Forensics tools ranging from memory imaging to packet capture analysis (PCAP). Providing the digital equivalent of a physical binder of information being collected by investigators.

On the surface, it may appear that a basic ticketing or incident response (IR) workflow capability would be sufficient to support this operational need. But formal, legally defensible practices such as Fraud Examinations, or intellectual property theft investigation, demand more structured investigative analysis and reporting capabilities than what traditional IR systems provide. This is especially true with multinational organizations that need to do investigations on a global scale involving certified investigative professionals and possibly law enforcement.

As with detailed Digital Forensics, most small-to-medium sized organizations typically do not invest in building such formal investigative teams and technologies in-house. But those that do will quickly realize how critical these CMS capabilities are for their investigative processes to be effective and defensible.