Welcome back to our series highlighting features necessary for a modern security incident management platform. We’ve already looked at how these platforms should facilitate continuous learning, and now it’s time to look at user customization.
With such a wide variety of attack types, indicators, and mechanisms prevalent today, incident management with be-all and end-all standardization may no longer be the ideal option. An IM platform with a base of standardization and added layers of user customization is likely to be preferred amidst unpredictable attacks.
Let’s go over some user customization capabilities that IM platforms should contain, equipping SOCs for agile response to unpredictable attacks.
Regulations and Standards
With multiple general and industry standards present today (NIST, CERT, SANS, etc.) and regulatory requirements like the GDPR (General Data Protection Regulation) on the horizon, incident management platforms cannot afford to be married to a single standard anymore. Apart from availing templates aligned to popular standards, SOCs should be enabled to tailor their platform to custom standards if required.
Care should be taken on two fronts here: firstly, ensuring that users are not made to create all regulation-related material from scratch, and secondly, that users don’t experience lock-in to a particular standard when regulations evolve. Templates, training material, and service support should be provided to get users up to speed with using the standard of their choice, and the platform should be flexible enough to morph as per updated standard without sacrificing overall fidelity and product quality.
Incident Types and Fields
A SOC’s night is usually dark and full of unknown terrors. Locking in pre-defined incident types in such a nebulous battlefield is a mistake. IM platforms should allow for creation of custom incident types as well as incident fields and labels, so that unknown attack types are quickly categorized and SOCs can be ready the next time these attacks rear their heads.
For example, if a SOC has custom fields to denote incident severity and subsequent dissemination of incident information (such as Traffic Light Protocol), then analysts should be able to create a custom TLP incident field and populate it when required.
Incident Summary Layouts
Taking one step back from incident fields, it’s also important to be able to customize the order and grouping in which the fields are made visible to analysts for each incident type. What if Indicators of Compromise (IOCs) and their reputation were of prime importance for one incident type, but timeline information and freestyle analyst comments were more important for another incident type?
IM platforms should have summary templates for popular incident types but also leave the analysts free to edit these templates for any cases they see fit. Incident identifiers, playbooks used, key pieces of evidence, analyst team information…any piece of information that can help define an incident should be made available in summary views, with order and categorization tailored to user desires.
Indicator Types and Fields
A wide variety of attacks might be defined by the same set of malicious indicators, but a lack of indicator visibility and control results in repetitive response actions for each attack that could otherwise have been avoided. Incident management platforms should enable creation of custom indicator types and fields in addition to automatically logging all indicators that show up within incidents.
This indicator-focused customization will ensure that the IM platform is flexible enough to map to conventions of other threat intelligence tools and feeds that the SOC may be using. A complete and updated list of indicators in the IM platform will increase the accuracy of data enrichment and curtail rework while trying to unify information fidelity across security tools.
That’s it for this edition of our modern incident management series. Stay tuned for more drill-downs in the coming weeks! For more cutting edge and informative cybersecurity content, subscribe to blog and newsletter updates from Demisto.