Cyber Incident Management Module
Overview:
Cyber Incident Management with Extended Detection and Response (XDR) and Managed Detection and Response (MDR) provides comprehensive protection against cyber threats by continuously monitoring and analyzing an organization’s digital environment. XDR integrates data from various security sources, such as endpoints, networks, and cloud environments, to detect and correlate threats more effectively. MDR offers 24/7 monitoring, management, and incident response. Together, these tools enable rapid identification and mitigation of potential threats, helping to reduce the impact of cyber incidents and ensure the security of organizational assets.
Navigate to Dashboard:
- To show all the different modules, click on the menu icon .
- Under Cyber Detection and Response, click on Cyber Incident Management (XDR and MDR)
Cyber Incident Management Dashboard:
Alerts Dashboard:
To access the Alerts Profile dashboard, click the icon on where the red arrow is located
Alerts Dashboard is a tool that provides real-time security alerts and notifications. It provides a unified view of different types of alerts, categorizing them by severity and type, and displays critical details such as the source of the alert, affected assets, and relevant information. This dashboard enables security teams to quickly assess, prioritize, and respond to potential threats by offering comprehensive insights and plays a crucial role in enhancing situational awareness and streamlining the incident response process.
- Alerts Status Types:
- Open Alerts: Alerts awaiting assignment to an analyst for further investigation.
- Acknowledged Alerts: Alerts currently in progress and assigned to an analyst for resolution.
- Closed Alerts: Alerts that have been successfully resolved and closed.
Ways to Create a Case:
Case Creation involves initiating a new incident case when a security alert is detected. This process includes documenting key details about the alert, categorizing and prioritizing the case based on its severity and impact, and tracking all investigation and response activities. By creating a case, security teams can organize and manage the incident comprehensively, ensuring that all related actions and communications are centralized, which facilitates effective resolution and improves overall incident handling.
To create a case, you can opt to choose either to create a case from the Alerts Dashboard or the Case Management Dashboard
Create a Case in the Alerts Dashboard:
To create a case:
- Select an alert
- Click the create new case button as shown below
- Doing so will show a modal where information is required to create a case for investigation
- Once a case has been successfully created, it will show in the Case Management Dashboard as shown below.
Create a Case in the Case Management Dashboard:
To create a case, click on the icon where the red arrow is pointing
- Doing so will show a modal where information is required to create a case for investigation
Once the necessary information has been added, click submit and a case has been successfully created and will be shown on the Case Management Dashboard as shown below.
How to Add an Alert to an Existing Case:
This feature allows security teams to associate a new alert with an ongoing or previously created incident case. By adding a new alert to an existing case, teams can streamline their investigation and response efforts, correlate related data, and avoid duplicating efforts.
Steps to take:
1. To add to an existing case, navigate to the Alerts Dashboard
2. Select an alert and click the create new case button as shown below
3. Select which existing case is relevant to the alert to add it as an existing case.
Case Management Dashboard:
To access the Case Management Profile Dashboard, click the icon on where the red arrow is located.
Case Management Dashboard is a tool that provides a comprehensive overview of security incidents. It offers detailed insights into active and past incidents, including their status, severity, and timeline. The dashboard facilitates investigation and response by integrating real-time alerts, threat intelligence, and collaboration features, while also tracking performance metrics and compliance. This centralized approach enhances the efficiency of managing and resolving security incidents, ensuring timely and effective responses to mitigate risks and improve overall security posture.
- Case Status Types:
- Open Cases: Cases awaiting assignment to an analyst for investigation.
- In Progress Cases: Cases currently being worked on by an analyst.
- Pending Cases: Cases awaiting approval from IT head/CISO before further action.
- Closed Cases: Cases that have been resolved and closed.
How to Investigate a Case:
To start investigating a case, choose an open case as shown below.
- A modal will appear displaying case-related information, including alerts, alert details, and incident response data, all essential for conducting a thorough investigation. For detailed information, refer to the Key Tools and Features for Effective Case Investigation and Analysis section of the guide.
- Once a case has entered the investigation phase, update the case status to 'In Progress. This signals the entire response team that the investigation is active, helping coordinate efforts, prioritize resources, and ensure timely resolution of the incident.
- Once a case investigation is complete and is awaiting final confirmation from the end user, change the case status to 'Pending.' This status update is necessary as it indicates that the investigation phase is concluded, and the case is in a holding state, waiting for final validation. This helps prevent premature closure and ensures that all necessary checks and confirmations are made before finalizing the case
Once the end user's confirmation is received and the case investigation is complete, change the case status to 'Closing.' This status update signifies that the case is in the final stages of resolution and is pending closure, ensuring that all required actions have been taken and the case is ready for final documentation and closure.
This will display a modal where you need to enter the required information for closing the case. Once you have completed the necessary fields and provided closing remarks, the case can then be successfully finalized and closed.
The closed case will then be shown in the closed case section of the Case Management Dashboard
Drag Feature for the Case Management Dashboard:
Instead of using traditional methods to update case statuses through predefined options, users can now manually drag cases to indicate their current stage: Open, In Progress, Pending, or Closed. It is important to follow the correct sequence moving from Open to In Progress, then to Pending, and finally to Closed. When marking a case as Closed, ensure that you fill in the required closing remarks to complete the process successfully.
Key Tools and Features for Effective Case Investigation and Analysis:
New Look Feature:
Case Playbook:
A Case Playbook in a case investigation is a structured guide that outlines specific procedures and best practices for responding to different types of security incidents. It includes steps for detection, containment, and resolution, defines roles and responsibilities, lists necessary tools, and sets communication and escalation protocols. This standardized approach ensures a consistent, efficient, and thorough response to incidents, facilitating effective management and resolution.
Alerts:
To view details on an alert, click on the list of alerts related to the case on the left. Once clicked, this provides details about the case as well as provides a timeline on when the alert happened.
This table provides all the essential information required to thoroughly investigate a case. It includes details such as the target of the alert, the affected files, and key metadata that helps analysts understand the nature of the incident. By offering comprehensive and actionable data, the table ensures that analysts have the necessary context to conduct an in-depth investigation and take appropriate actions to resolve the issue effectively.
Case Reports:
In the Reports View, this is where all findings from the case investigation are documented. Ensure that all relevant information is accurately filled out to provide a comprehensive overview of the case. This includes a clear explanation of the incident, details on how it was discovered, the impact on the system, and any affected assets. Additionally, outline the steps taken during the investigation, mitigation actions performed, and any recommendations for future prevention. The report should also include any references to related alerts, timelines, and potential vulnerabilities identified. This thorough documentation will serve as the final record for the case, ensuring that all stakeholders are fully informed and that the case is properly closed with actionable insights for ongoing security improvements.
Incident Response:
In the Incident Response View, it involves quickly detecting the incident, assessing its severity, and taking immediate steps to contain and mitigate its impact. This helps teams track the progress of response actions, such as isolating affected systems, neutralizing threats, and restoring normal operations. It also provides visibility into the status of ongoing investigations and any further steps required to fully resolve the incident.
Reports Dashboard:
To access the reports view, click on the icon where the red arrow is located.
The Reports View for Cyber Incident Management (CIM), charts and metadata play a crucial role in visualizing and summarizing the data related to cases and alerts. The charts offer a graphical representation of incident trends, showing metrics like the number of alerts over time, the severity of cases, and the categories of threats encountered. These visual elements help analysts quickly grasp the overall security posture and identify patterns in incidents. The metadata, such as timestamps, affected systems, and alert details, provides context and deeper insights into each case, allowing for more efficient analysis and decision-making. Together, these tools offer a comprehensive view of incidents and alerts, aiding in both detailed investigation and high-level reporting.
How to Create a Report:
- To create a report, click on the Create Report button and select the time period for which the report will be generated, such as weekly, monthly, quarterly, or annually.
- After choosing the desired time frame, you will be prompted to fill in all necessary information related to the report, including executive summary, key findings, recommendations, and conclusion.
This process ensures that the report covers the relevant time period and contains all critical data for effective review and analysis, as demonstrated in the example below.
Once a report is generated, it will be saved and readily accessible in the My Library section of the Reports Dashboard.
Settings:
To access the settings view, click on the icon where the red arrow is located.
In this view, you can configure and manage various system settings essential for the proper functioning of the monitoring platform. These settings include options to add and manage the log collector list, define and update log sources, configure alert rules for customized threat detection, and set up notifications to ensure timely alerts for critical events. This view allows administrators to tailor the platform to specific operational needs, optimizing data collection, threat detection, and response workflows.
If you need further assistance, kindly contact our support at info@cytechint.com for prompt assistance and guidance.
No Comments