At #18 on our list of “Top 20” SOC Capability Areas is Case Management. Getting started, many new Security Operations teams utilize a basic ticketing or incident response (IR) workflow capability for this operational need. But eventually find they need more structured investigative analysis and reporting capabilities than what traditional IR systems provide.
First, what is a “case”? Over-simplifying things for brevity, and focusing strictly on digital “incident management”, a “case” is basically a logical collection of cyber incidents and/or suspicious activity that demand a more formal and comprehensive investigation. Perhaps resulting from, but certainly involving, some level of digital forensics analysis as described in an earlier article.
This could be a situation that demands a legal (e.g., cyber fraud) or counter-intelligence (e.g., espionage) type of investigation. Such investigations typically require some type of “analyst’s notebook” or formal Case Management System (CMS) capability, that goes beyond basic incident response workflow, to coordinate the broad range of staff and legally-defensible investigative activities. Integrating directly with a suite of Digital Forensics tools ranging from memory imaging to packet capture analysis (PCAP). Providing the digital equivalent of a physical binder of information being collected by investigators.
On the surface, it may appear that a basic ticketing or incident response (IR) workflow capability would be sufficient to support this operational need. But formal, legally defensible practices such as Fraud Examinations, or intellectual property theft investigation, demand more structured investigative analysis and reporting capabilities than what traditional IR systems provide. This is especially true with multinational organizations that need to do investigations on a global scale involving certified investigative professionals and possibly law enforcement.
As with detailed Digital Forensics, most small-to-medium sized organizations typically do not invest in building such formal investigative teams and technologies in-house. But those that do will quickly realize how critical these CMS capabilities are for their investigative processes to be effective and defensible.
This article barely scratches the surface of the need for Case Management capabilities in contemporary Security Operations. But taken together with the other capability areas in this “Top 20” list, we hope to shine a light on the breadth, depth, and complexity of what is involved in building effective Security Operations today.
Contact us if you'd like help identifying and selecting Case Management capabilities to support your own Security Operations efforts.