Among all the cybersecurity case management solution providers evaluated by the client, MetricStream was chosen based on the advanced capabilities and configurability of their offering.
MetricStream Case Management App has provided a single point of reference for approximately 70 employees in the client organization to manage and track all cybersecurity cases across the global enterprise. The App streamlines and automates the case management lifecycle - right from case detection, to analysis, notification, containment, action plan management, and resolution.
All cybersecurity team members, including case owners, case approvers, case action owners, and case admins are mapped to their specific roles and processes in the App, thereby enhancing accountability and transparency.
The App also integrates with SIEM tools such as IBM QRadar and BMC Remedy Software, capturing critical information, including potential breaches and SIEM artifacts (affected system logs, incident reports, vulnerability information of affected assets, threat advisories/ zero day alerts). The app then consolidates this data along with other cybersecurity case information in a centralized database. This has made it easier for the client to track and resolve cases. In addition, a range of advanced reports provide complete, real-time visibility into the status of each case.
Below is a glimpse into the MetricStream Case Management App’s capabilities at the client organization:
Whenever a new cybersecurity case ticket is raised, the MetricStream App allows the case to be logged in the system, and assigns a unique case number that can be used to track the incident as it goes through various stages.
The App captures detailed information about the case, including the case description, title, severity rating, and impact. It also helps categorize the case into various types based on pre-defined criteria, the case severity level, and the responsible business unit. Users can define multiple levels in a case – parent/child – as the case evolves and as the components escalate.
Users can also add a business context to the incident/case (e.g. BU, regulatory impact).The App also helps in qualitative and quantitative impact analysis, and supports correlation of the case with past data to enable quick analysis, and to support decision-making on the need for remedial action.
The MetricStream App routes each incident/case for review and analysis to authorized users based on pre-configured rules for review, approval, and disposition. The application’s decision-tree functionality helps identify reportable events, as well as the type of report that needs to be filed. Case data is captured from external sources via the App’s interfaces to third-party products.
Through the App, Case Owners can add more details about the case, edit its description, and attach further evidence/ files. The App also helps finalize the severity level of the case -- Critical, High, Medium, or Low, supported by a color coded chart (e.g. Red = Critical, Yellow = Medium, Blue = Low).
These severity levels indicate how soon the case needs to be resolved. For instance, a critical case would need to be resolved in 10 days, while a low severity case can take up to 30 days.
The App then captures the action plan for investigating or resolving the case. For instance, if a virus has infected a system, the action plan might be to test the system controls, and determine what went wrong, what was impacted, and whether or not additional controls are required. All these steps are outlined in the MetricStream App, and assigned to a Case Action Owner along with predefined timelines.
Once the action items have been performed, the Case Action Owner enters the results in the MetricStream App, and routes it to a Case Approver for final review, approval, and closure.
Case monitoring and reporting
At each stage of the case management process, the MetricStream Case Management App helps track the progress/ status of the case against pre-defined timelines (e.g. 5 days for case analysis, 2 days for case validation, 14 days for case reaction).
The App also automatically populates case reports with data. Therefore, at the click of a button Case Admins get access to key reports such as a list of all cases or incidents across the organization, as well as an action list report and an audit trail report.
Powerful dashboards provide in-depth visibility into case data and statistics such as case ratings, severe cases, outstanding open cases, types of cases, and sources of cases. Users can slice and dice this data from various perspectives to identify trends and areas of concern, and to make informed decisions.
Integration with security information and event management systems
The MetricStream App has “Infolets” or connectors that link to SIEM tools such as IBM QRadar and BMC Remedy Software to capture and import security incidents. These incidents are then routed through the usual workflow of investigation and action plan management in the MetricStream App.
The client’s cybersecurity team, headquartered in North America, holds the important role of investigating and resolving all cybersecurity cases across the organization’s global operations. The team helps ensure that incidents such as malware attacks are proactively mitigated before they spiral into larger issues with far-reaching consequences.
Previously, the approach to cybersecurity case management was largely manual and siloed. Multiple emails would go back and forth between various stakeholders, detailing each case and seeking approvals. Reports would be painstakingly created by hand.
Making matters more challenging, case data would often be scattered across several complex and unwieldy spreadsheets. Plus, additional data had to be aggregated from various Security Information and Event Management (SIEM) applications such as IBM QRadar.
Keeping track of all this data at a global level became increasingly challenging for the cybersecurity team. At any given point, it was difficult for them to get a complete, real-time view of cases across the enterprise. The team spent considerable time and effort manually gathering case data from various sources, and putting it together.
It quickly became evident that this approach was neither cost-efficient nor scalable. The client needed a new system that would automate cybersecurity case management, while also integrating case data from across global operations and applications into a central database for complete visibility.