Marie Kondo, a Japanese organizational consultant, helps people declutter their homes in order to live happier, better lives. She once said:
“Visible mess helps distract us from the true source of the disorder.”
Similarly, in security, operational teams are constantly bogged down by a “visible mess” that inhibits their ability to effectively secure their organization. The “visible mess” for security practitioners include:
- Too many alerts without an effective method for managing or organizing those alerts
- Too many false positives
- Manual prioritization of events
- A lack of comprehensive incident management procedures.
Security teams need a platform to help them “Marie Kondo” their security operations, clean up their “visible mess” and identify the true source of “disorder” (the cyberattack itself).
Security Orchestration Automation and Response (SOAR) technology can help a security team increase the efficacy and speed of security operations by leveraging a few key capabilities: orchestration, automation, and case management. Security orchestration is the ability for the platform to bring together different tools to work together seamlessly — from gathering information to deploying actions. Security automation is the machine-based execution of otherwise manual security actions using playbooks. And case management is the power of collecting, analyzing, and displaying event data that are relevant to a specific incident to help security practitioners investigate and remediate alerts faster. While automation and orchestration may help security teams resolve the “visible mess” of too many false positives, high MTTD and MTTR, and manual prioritization of events through automating SIEM alert triage, how can security teams build up clear incident management procedures in order to thoroughly investigate alerts?
Simplifying Security Operations With Case Management
Splunk Phantom is a SOAR solution that provides robust case management capabilities that allow the analyst to easily view all the relevant information for an event or multiple events by promoting it into a case. Once a case is created, the analyst can apply a case template (also referred to as a Phantom workbook), which drives the analyst through a predefined set of phases and tasks that they should perform in order to close the case. These pre-packaged templates map directly to security frameworks such as the NIST-800. Users may also build their own custom templates for different cases using the built-in template builder. Moreover, tasks within the templates can be assigned to different individuals which allows for cohesive collaboration between members of the security team or even external departments such as Legal, HR, and many others.
Oftentimes, security teams struggle to quickly respond to a critical event because they lack standardized security procedures. But by using a SOAR solution with pre-packaged templates, analysts can contain and remediate the case easier and faster.
Taking It Further With Automation
Splunk Phantom differentiates between two types of templates: workbooks vs. playbooks. Workbooks are predefined steps that guide the analyst through detection, investigation and remediation whereas playbooks are actions that are fully executed by a machine. Workbooks and playbooks can work together to decrease mean time to respond. Within the phases and tasks of a workbook, the analyst can choose to implement small playbooks to automate specific steps. On the other hand, the analyst may choose to use a playbook to automate the entire security incident lifecycle from detection, investigation, to response.
While security practitioners may utilize Splunk Phantom’s case management capabilities and customizable workbooks to respond to threats faster, automated playbooks can scale this efficiency by tenfold. Security operation centers can leverage case management and automation capabilities to work smarter by automating repetitive tasks, respond to incidents that used to take 30 minutes within 30 seconds, and strengthen defenses by integrating existing security infrastructure together so that each part is an active participant in your defense.
Watch the webinar "How to 'Marie Kondo' your Incident Response with Case Management and Foundational Security Procedures" to learn how to establish foundational security procedures, including case management and automation, to drive efficient cross-functional response from detection to resolution to address a security incident.