Revelstoke’s SOAR to improve case management with replicable sub-workflows

Security orchestration, automation, and response (SOAR) company Revelstoke has announced enhancements to its CASE management capabilities for provisioning the replication of redundant tasks by security analysts.

Revelstoke’s Case Automation Security Execution (CASE) management platform will use the company’s in-house unified data layer (UDL) to develop and deploy automated, logic-based, sub-workflows for replication, the company said in a statement.

“This CASE functionality furthers Revelstoke’s mission of putting sophisticated security automation in the hands of the security analysts that desperately need it to free them from the manual, repetitive tasks that bog them down,” said Josh McCarthy, chief product officer and co-founder at Revelstoke. “This functionality allows them to have powerful blocks of reusable actions that they can apply to any and all cases that come into the system.”

The new capability will allow for the replication of a wide variety of tasks including quarantining, account locking, executive escalation, and human resource management. The ability will provision creation of technology-agnostic CASE cards to be used throughout the customer environment, Revelstoke said. For instance, a CASE card created for an action in Crowdstrike could be replicated and used for a similar issue in Carbon Black, Microsoft Defender, or Sentinel One.

UDL makes replication possible

The unified data layer powers the new CASE enhancement, making it possible for automations to be translated and replicated over a network of technologies.

According to Allie Mellen, an analyst at Forrester, unified data layers are quickly becoming an industry favorite and SOAR vendors are increasingly relying on this model to simplify integration between technologies and help security teams adapt as they adopt new technologies.

UDL is a data framework for abstracting and managing integrations with third party technologies, Mellen said.

“Without the UDL, this feature would not be nearly as effective as each sub-workflow would have to be designed specifically for the type of case being worked, meaning if you had 50 types of alerts you had automated, you would need 50 different variations of the sub-workflow.  That is not scalable or practical, so without the UDL this feature would not be possible,” adds McCarthy.

Revelstoke’s CASE management, the company adds, now also includes features such as deep investigation, automated information gathering, postmortem reporting, and interactive and real-time case timelines.

SOAR industry is scattered into various offerings including security analytics platform, security analytics portfolio, automation portfolio, threat intelligence and pure play, Mellen said.

“It’s clear that automation in the SOC [security operations center] has not been perfected and there is still oppotunity to help support security teams better,” Mellen said.