Case initiation
Whenever a new cybersecurity case ticket is raised, the MetricStream App allows the case to be logged in the system, and assigns a unique case number that can be used to track the incident as it goes through various stages.
The App captures detailed information about the case, including the case description, title, severity rating, and impact. It also helps categorize the case into various types based on pre-defined criteria, the case severity level, and the responsible business unit. Users can define multiple levels in a case – parent/child – as the case evolves and as the components escalate.
Users can also add a business context to the incident/case (e.g. BU, regulatory impact).The App also helps in qualitative and quantitative impact analysis, and supports correlation of the case with past data to enable quick analysis, and to support decision-making on the need for remedial action.
Case management
The MetricStream App routes each incident/case for review and analysis to authorized users based on pre-configured rules for review, approval, and disposition. The application’s decision-tree functionality helps identify reportable events, as well as the type of report that needs to be filed. Case data is captured from external sources via the App’s interfaces to third-party products.
Through the App, Case Owners can add more details about the case, edit its description, and attach further evidence/ files. The App also helps finalize the severity level of the case -- Critical, High, Medium, or Low, supported by a color coded chart (e.g. Red = Critical, Yellow = Medium, Blue = Low).
These severity levels indicate how soon the case needs to be resolved. For instance, a critical case would need to be resolved in 10 days, while a low severity case can take up to 30 days.
The App then captures the action plan for investigating or resolving the case. For instance, if a virus has infected a system, the action plan might be to test the system controls, and determine what went wrong, what was impacted, and whether or not additional controls are required. All these steps are outlined in the MetricStream App, and assigned to a Case Action Owner along with predefined timelines.
Once the action items have been performed, the Case Action Owner enters the results in the MetricStream App, and routes it to a Case Approver for final review, approval, and closure.
Case monitoring and reporting
At each stage of the case management process, the MetricStream Case Management App helps track the progress/ status of the case against pre-defined timelines (e.g. 5 days for case analysis, 2 days for case validation, 14 days for case reaction).
The App also automatically populates case reports with data. Therefore, at the click of a button Case Admins get access to key reports such as a list of all cases or incidents across the organization, as well as an action list report and an audit trail report.
Powerful dashboards provide in-depth visibility into case data and statistics such as case ratings, severe cases, outstanding open cases, types of cases, and sources of cases. Users can slice and dice this data from various perspectives to identify trends and areas of concern, and to make informed decisions.
Integration with security information and event management systems
The MetricStream App has “Infolets” or connectors that link to SIEM tools such as IBM QRadar and BMC Remedy Software to capture and import security incidents. These incidents are then routed through the usual workflow of investigation and action plan management in the MetricStream App.