Most SOC analysts at security service providers must constantly tab between applications when investigating or responding to an incident. It affects their productivity like death by a thousand paper cuts. They constantly move between the security platform, where they are investigating an alert, to other applications to gather the needed details to assess whether they have a security incident on their hands. The same process is used by the response team to gather the data needed to correctly respond to those incidents. Meanwhile, notes or .docx files become the repository for incident details.
Today, we’re excited to announce a new unified investigation experience for service provider analysts using the ContraForce Security Services Delivery Platform (SSDP). This new experience provides analysts with additional incident context, so they do not have to pivot away from ContraForce to complete an investigation or respond to an incident. As a result of having additional information imported from Microsoft Entra ID and other sources, they are also able to readily understand what happened, make decisions about the incident and rapidly deploy the appropriate gamebook to respond, escalate the incident to their client or close the incident.
Investigation
With the new unified experience, analysts investigating an alert can now go straight to an incident detail page in a single click where they can obtain additional information about account and IP entities. Entity insights vary depending on whether the entity is an account or an IP.
Account entity details include a user’s display name, job title, department and office location; contact information such as their email and phone number; the date they last changed their password; and their role with respect to access management.
For account entities, analysts also see a list of related incidents that not only provides analysts with all the associated incidents but also detailed information about each incident including the activity history and classification of each incident. Sign-in and audit logs also provide additional information about the incident's history.
For IP entities, details include a history of user sign-ins and related incidents.
Response
ContraForce has also enriched response gamebooks with the same information. For example, to learn more about associated incident entities, analysts can click on an associated IP or account to easily gain additional context. They can also easily toggle between the incident page and the gamebook workbench using a single click.
In Summary
Analysts using the ContraForce SSDP now have one-click access to incident details while conducting investigations or responding to incidents. With this new context at their fingertips, they will find that their workflows are better integrated and see an appreciable increase in efficiency ... along with fewer paper cuts.
