Malizen offers key functionalities to accelerate cyber investigations: data exploration through visualization, machine learning based copilot, automatic reporting …
Among these features, one is particularly important for the daily work of cyber analysts: collaborative investigation. We felt it was essential to explain how Malizen puts collaboration at the heart of its solution and how we enable cyber teams to work faster together.
The reality of cybersecurity team work
The key factor in ensuring effective protocols and actions relies with all employees who have a role to play in combating cyber attacks.
Today, cyber analysts don’t work alone, but in teams.
Generalists should pass on investigations to network experts, reverse analysts or any other specialists.
Triage analysts must pass on alerts to the next level of analysts to qualify and investigate the data.
SOC teams working as a team should hand over their work to the next shift for a seamless response.
Besides their technical expertise, their problem-solving skills and creativity, as with any other team, a major skill required in a cybersecurity team is the ability to effectively collaborate to acccomplish shared goals. And currently, we still see teams using chat software or email to stay in sync and pass the ball back and forth. It's better than post-its but still not ideal and still a bit archaic. Teams have access to conversations, but it's often not that easy to quickly understand the current status of the investigation without having to read the whole conversation.
Working in a team remains, as it is for many teams in any field, a challenge. If we add tools that are not adapted to this collective effort, it's one more barrier to overcome towards efficiency.
This is why we have integrated our collaborative investigation module as a core functionality of our platform. Teamwork is not optional!
The case for case management
Ticketing or case management helps manage the state of investigations. Typically it starts with someone filling in a form describing the situation. This can also be an initial alert. The analysts can then update this entity and keep track of its status.
Our view is that a new data and information silo is created when the case management system is isolated from the rest of the tools shared by the team. For one thing, it's separate from the investigation, meaning teams who already have to manage several different windows and tabs now have to keep that case management window somewhere too. And it's quite time consuming to manage. Filling out forms when you're in the flow of an investigation can really break your pace. Often these forms are like fitting a square peg in a round hole, sometimes with screenshots.
This can lead to incomplete or inconsistent data.
The Malizen way
At Malizen, we understand the need for cyber teams to work together better and more easily.
The idea was to integrate the management software into the ongoing investigation. This means that analysts no longer have to leave the current investigation in order to manage it. Everything is done in one place.
When an analyst identify an anomaly, they just have to create an investigation “lead” that automatically records all related information. All the contextualised data is then recorded (e.g., an IP of 192.168.1.1 seen in such visualisation with these filters and timeline), so everything is linked to context and understandable. All that's left for the analyst is to specify severity and add comments. They can also add MITRE TTPs. To simplify this we've integrated them all into a smart drop-down and our copilot can even suggest appropriate TTPs.
Analysts can directly mention other people in order to invite them into the investigation they are working on. The invited persons are then notified and they can follow and join the investigation. Our platform also offers a history of the investigation which the team can access in order to have a real follow-up of the analysis.
A discussion tool is integrated directly into our platform so that they can simply exchange with other analysts working on the same investigation. This makes their work easier as well, as they don’t need to switch tools to discuss with other team members. Everything for the fastest and smoothest collaboration!
We also know that passing information about an investigation to a new recruit can be sometimes complicated. We also thought of our collaboration module as an onboarding tool for newcomers. They can follow investigations very quickly and immerse themselves in the operational reality of the team with less friction.
As with all teams, working together effectively is a human, organizational and technical challenge. At Malizen, we believe that the technologies and tools used by the cyber team must provide more fluidity of information between analysts and not the other way around. Creating data silos and context switching each time you add a new tool doesn't help the cause. And it's with this objective in mind that we have designed our platform.
Cyber teams can take advantage of the flexibility of the Malizen platform to collaborate better and more efficiently.