Introduction

Customers who are considering ways to streamline their security operations often mention that one of the challenges they face is incident case management. For example, we often hear the following concerns:

• The data is still managed manually in Excel, which places a heavy burden on the work.
• They are busy dealing with human errors such as oversights and input mistakes.
• Difficulty in linking with other tools hinders automation of business processes

One way to solve these challenges is modern case management using "Hyper Automation."

In this article, an engineer who has actually used Swimlane, a product that provides state-of-the-art case management, will clearly explain the important points regarding case management.

What is case management these days?

Case management ingests alerts from any source and allows analysts to act on the data to respond to incidents.

Incidents are identified based on risk levels, and analysts review prioritized incidents and consider responses based on the severity of the threat. With more information from the investigation, analysts can make more efficient decisions, which is expected to improve the efficiency of incident response efforts.

In addition, today's case management is no longer just about collecting information; by combining workflows with Hyper Automation, it is possible to automate responses and notifications as well.

As an example, a platform that incorporates Hyper Automation, such as Swimlane, is making security operations more efficient.

5 important elements of case management!

From here, we will introduce the important elements of case management using actual Swimlane screens.

① Graphical and easy-to-read screen

Providing necessary information in an easy-to-understand graphical format is essential for rapid information transmission. It is also important that the information can be customized to suit the unique usage of the customer.

Empower analysts with easy-to-see summaries of assigned agents, ticket status, threat intelligence results, SLA status, and more.

2) Organizing research history and evidence

Writing down investigation response history and organizing evidence are necessary tasks for analysts. It would be useful to have a memo function like an image and a function to store evidence.

For example, if you have employees compile the results of interviews into an Excel file, you can store the file and preview or download it whenever you need to.

In addition, other users can make comments, allowing more expert analysts to follow up on cases as they look at them.

3) Automatic enrichment

The power of Swimlane case management is the automation it combines with workflows, allowing you to focus on the things you care about, rather than the mundane, tedious tasks.

Workflows are often used to enrich incident response, with the most notable example being the collection of threat intelligence data. By linking with VirusTotal and IPQualityScore, it becomes possible to evaluate URLs, email addresses, hash values, IP addresses, and more.

Ideally, it would be an important element to automatically add information, eliminating the need to search manually one by one.

④ One-click Repair

It is useful to be able to take action as part of case management. If different departments manage different security products, it may be necessary to communicate between departments, which may delay the response.

One-click remediation allows for quick actions like disabling users, isolating devices, blacklisting, etc. Analysts don't need to be experts in every security product, and case management makes it easy to take multiple actions.

⑤ Communication between departments

Communication is crucial in proactive incident response: security teams must quickly relay information about a case to other analysts and other departments.

Therefore, by integrating communication tools such as email, Teams, and Slack and making it easier to share information, you can reduce screen transitions and make things more convenient.

Swimlane also allows you to implement approval flows, and you can create "Approve/Reject" buttons like the one in the image. When you press the button, a Teams message is automatically sent as a response message, so you can check whether the button was clicked, and the approver can feel at ease.

(When you press the approval button, the message "Thank you for your response!" will automatically be returned.)

in conclusion

To improve the efficiency of case management, it is essential to address not only manual tasks but also automation. The five important elements introduced here (a graphical and easy-to-read screen, organization of investigation history and evidence, automatic enrichment, one-click remediation, and communication between departments) are all essential for effective case management. By utilizing Swimlane's Hyper Automation, security operations will be dramatically streamlined, and the speed and accuracy of risk response will be greatly improved.

The Hyper Automation provided by Swimlane has the advantage of being able to flexibly customize "case management + workflow" to suit each individual customer, allowing for case management that fits operations in accordance with the different security policies of each company.

If you have read this article and are interested, or would like to try it out for yourself, please contact us at the address listed below.

Thank you for reading the article to the end!