Enabling Faster and More Efficient Cyber Security Incident Response with LogPoint SIEM and DFLabs SOAR

Back to all articles

Enabling Faster and More Efficient Cyber Security Incident Response with LogPoint SIEM and DFLabs SOAR

Cyber Security Incidents: The Problem and Challenges

Cyber security incidents are complex, potentially involving numerous assets being monitored by a myriad of different prevention and detection technologies. Investigating a cyber security incident requires the involvement of many different people, processes and technologies, all of which must work together seamlessly for an effective and efficient response. Failure to properly orchestrate these many moving parts can lead to increased risk, exposure and losses.

During a cyber security incident, context is key. Without proper context, analysts and managers are unable to make informed decisions regarding potential risk, containment, and recovery. Providing this necessary context can be a manual, time-consuming tasks, wasting valuable time as attackers continue to move throughout the network unobstructed.

Therefore, it is critical for security programs to implement an overall solution that aims to solve three key challenges:

  1. How can I use my existing resources more effectively?
  2. How can I reduce the mean time to detection (MTTD)?
  3. How can I reduce the mean time to response (MTTR)?

Combine the Power of LogPoint SIEM with DFLabs SOAR to Enable Faster and More Efficient Cyber Security Incident Response

The DFLabs and LogPoint Solution

DFLabs IncMan Security Orchestration, Automation, and Response (SOAR) platform automates, orchestrates and measures security operations and incident response tasks including threat validation, triage and escalation, context enrichment and threat containment. IncMan uses machine learning and Rapid Response Runbooks (R3 Runbooks) as a force multiplier that has enabled security teams to reduce average incident resolution times and increase incident handling.

LogPoint’s SIEM system is designed from the ground up to be simple, flexible, and scalable, providing a streamlined design, deployment, and integration tools to open the use of SIEM tooling up to all businesses. This means that the architecture can be continuously extended with additional functionality without the need for a full major release, to continue to support your business’s growing and changing needs.

Each as their standalone solution has their merits but also have their limitations. SIEMs are traditionally more commonly used within security operations infrastructure, ingesting large volumes of data, providing real-time analytics while generating alerts, but not all of these alerts can realistically be handled manually by security analysts. Orchestration and automation are critical components in responding effectively and efficiently to a cyber security incident. DFLabs IncMan SOAR platform is layered on top of the SIEM to manage the incident response process to each alert. Combing the aggregation, storage and analytics power of LogPoint with the orchestration, automation and response power of IncMan drastically multiplies the impact of the existing security program by removing the analyst from the repetitive, mundane tasks, allowing analysts to focus their time and energy where they can have the greatest impact.

Together they can provide security programs with the ability to:

  1. Automate repeatable, mundane tasks.
  2. Orchestrate actions across multiple security tools.
  3. Enrich raw data, allowing for more informed, effective decisions.
  4. Reduce the mean time to detection and mean time to response, minimizing potential risk.

Use Case in Action

A proxy has observed an internal host communicating with an IP address which is known to be a command and control server used by malicious actors. The proxy generated an alert, which was forwarded to LogPoint. Using the IncMan app, Logpoint automatically forwarded the event to IncMan, which automatically generated an incident and began an automated response, including executing the R3 Runbook shown below.

Enabling Faster and More Efficient Cyber Security Incident Response with LogPoint SIEM and DFLabs SOAR 2

The runbook begins by performing several basic Enrichment actions, such as performing a Whois query and an IP geolocation search. These Enrichment actions are followed by a Containment action, which is used to block the malicious IP address at the perimeter firewall.

Once the initial IP address is blocked, an additional Enrichment action is used query LogPoint for a list of all IP addresses the internal host has communicated within the past 30 minutes. Next, an Enrichment action is used to query each of these IP addresses against the organization’s threat reputation service of choice (for example, VirusTotal, Cisco Umbrella or McAfee ATD).

Any IP addresses which have a negative reputation will undergo a similar process to the initially identified malicious IP address; first utilizing several Enrichment actions to perform basic data enrichment, then being blocked at the perimeter firewall using a Containment action.

Once these IP addresses have been blocked to prevent any additional risk, LogPoint is again queried; this time for any other internal hosts which may have been communicating with these additional malicious IP addresses.

Enabling Faster and More Efficient Cyber Security Incident Response with LogPoint SIEM and DFLabs SOAR 1

If any other internal hosts have been observed communicating with any of these additional malicious IP addresses, a final Enrichment action will be used to gather further information regarding each internal host from the IT asset inventory. This information will be automatically stored within the IncMan Incident and will be available for an analyst for review and follow up.

To ensure that each additionally potentially compromised internal host is further investigated by an analyst, a Notification action is used to immediately notify security team leaders about the identification of these additional potentially compromised hosts. If the organization were utilizing an IT ticketing system, an additional integration could be used to automatically generate an IT ticket to ensure additional accountability.

Minimizing the time from threat discovery to resolution from hours to seconds

The combination of a SIEM and a SOAR solution can provide real end-to-end visibility to neutralize potential cyber threats. By providing early detection and faster remediation of security incidents it can totally transform the security operations and incident response capability of any organization’s security program. Adopting this structure will inevitably minimize the time from threat discovery to resolution but can also have a positive impact on many other factors including improved operational performance, increased return on investment of existing security technologies, reduced risk resulting from security incidents while meeting legal and regulatory compliance.

Related Articles

Julie Tillyard / 18 Sep 2018

Companies Are Failing at Incident Response: Here Are The Top Reasons Why

Planning and implementation is the difference between success and failure when it comes to security and incident response. Here are the top four reasons why organizations fail and what they can do to overcome these challenges.

Read blog

John Moran / 16 Oct 2018

Add Context and Enrich Alert Information for a More Effective Response with DFLabs and ArcSight

In this blog post we’ll take a closer look at how security teams can increase the efficiency and effectiveness of their response by adding context and enrichment to the security alert information directly from ArcSight, when utilizing DFLabs’ SOAR solution.

Read blog

John Moran / 8 Aug 2018

9 Key Components of Incident and Forensics Management

Digital forensics investigations are complex events with many facets. These are the most important areas when it comes to incident and forensics management.

Read blog

Mike Fowler / 15 Nov 2018

5 Key Elements of Successful Knowledge Transfer in Incident Response

Read blog

John Moran / 2 Oct 2018

Automate Evidence Gathering and Threat Containment by Orchestrating Response Efforts with Carbon Black Defense

The integration between DFLabs’ IncMan SOAR platform and Carbon Black Defense’s antivirus and EDR solution allows companies to automate evidence gathering and threat containment efforts.

Read blog

Julie Tillyard / 25 Sep 2018

How Security Orchestration and Automation Helps You Work Smarter and Improve Incident Response

Protecting your organization today is a never-ending and complex process. Learn how SOAR technology can help overcome some of the common security challenges and pain points to improve the effectiveness and efficiency of your security program.

Read blog

John Moran / 6 Sep 2018

How to Perform Threat Hunting and Incident Response on Live Hosts.

Performing threat hunting and incident response on live hosts can be a complicated task. Learn more about the unique challenges and how to overcome them.

Read blog

John Moran / 22 Nov 2018

Incident Response Solutions: In-House or Outsourced?

Read blog

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request Your Live IncMan SOAR Demo.

DFLabs IncMan SOAR is the pioneering Security Orchestration, Automation and Response (SOAR) platform to automate, orchestrate and measure security operations tasks.

IncMan SOAR harnesses machine learning and automation capabilities to augment human analysts to maximize the effectiveness and efficiency of security operations teams, reducing the time from breach discovery to resolution by up to 80%.

What You'll See in a Demo

See for yourself why IncMan SOAR is the preferred solution of Fortune 500, Global 2000 and MSSP clients. DFLabs IncMan SOAR at a glance:

  • Full and semi-automated Incident Response, improving response times by up to 80%
  • Covers the entire spectrum of IR and SecOps
  • Automated Responder Knowledge (ARK) generated by machine learning
  • Highly flexible and customizable, with over 100 templates and automation actions out of the box
  • Correlation engine correlates all relevant IOCs and artefacts between incidents
  • Multi-tenancy and granular role-based access
  • Dual mode playbooks and intelligence sharing
  • Powerful case management with integrated forensics capabilities.

Yes, I want a demo

DFLabs would like to stay in touch to provide you with marketing related content. By ticking the box you consent to receive educational, company and promotional information from DFLabs and accept DFLabs' Privacy Policy.

* Required fields