As a technology matures, customer needs solidify, and more target markets get ready to buy, there are industry points-of-parity that start forming. And that’s where the security incident management market is today. Early tech adopters tend to take a leap of faith while investing in products and afford some leeway in terms of ROI and quantifiable value, but pragmatists in the mainstream market are a different beast altogether.
If CISOs at established firms pitch a product to their executive teams, there needs to be a clear industry precedent, feature validation, and measurable return. Although the security incident management market is evolving like any other, there are now certain core features that are essential for any vendor to have in order to compete in this space.
Let’s take a look at these features:
The need for consistent, transparent, and documented processes has always been a core driver for incident management solutions. Full case management capabilities that map the entire lifecycle of an incident, enable reconstructed timelines of actions taken, and support post-incident reviews are a base expectation from IM vendors today.
SLA and metric tracking
The lack of robust measurement is an often overlooked but major challenge facing SOC teams that engenders demand for IM tools. Granular tracking of incident and analyst metrics, auto-documentation of all actions for future analysis, and dashboards and reports to visualize underlying data are almost industry standards for incident management.
User identity management
As SOCs scale to include hundreds of employees, individual user-based identity management is no longer enough to control privacy and access. Role-based access control (RBAC) is a mechanism through which SOCs can tailor permissions to their security risk tolerance and organizational hierarchies.
SIEMs are usually the ‘digital brains’ of any organization, collecting logs and events across sources and correlating information across all security relevant data. Any IM platform worth its salt ingests this already-sifted data from SIEMs for further case management, triage, and resolution.
An example in action
Let’s go over an example where all these essential features are woven together. Let’s say a SOC’s SIEM is logging all raw security and non-security events data. The IM platform ingests relevant events from the SIEM and maps SIEM event labels with the corresponding labels in the platform.
Once the data is in the IM platform, a standardized workflow is triggered that goes through a host of steps (both automated and manual) to triage, enrich, and resolve the incident. All standardized and freeform analyst actions are captured by the platform for posterity. Tier-3 analysts go through this documentation to capture key pieces of evidence, mark them, and add notes. The platform visualizes these evidence pieces as a timeline for future reference.
Tier 3 analysts discern that the incident in question is sensitive and can have external repercussions, so they allow the legal team access to that incident through a granular RBAC feature. After vetting from the legal team is completed, the analysts spin up dashboards and reports for the incident and mail them to the top executives for review.
Incident metrics such as malicious indicators, severity, MTTD, and MTTR are captured by the platform for overall measurement of SOC health. Analyst metrics such as team composition, incident owner, and task accountability are also recorded by the platform for continued visibility into employee productivity.
Now that we’ve covered the essentials of security incident management, stay tuned for feature drilldowns in the coming weeks on important points-of-difference that these platforms should have. For more cutting edge and informative cybersecurity content, please subscribe to blog and newsletter updates from Demisto.