Free community edition

Request a demo

Unifying Operations with DFLabs and PagerDuty

Back to all articles

Unifying Operations

The ability for an organization to operate in a unified fashion when responding to a potential security incident can be the difference between an incident and a full-blown breach. Each operational unit within a company will develop their own processes and procedures and it is vital that incident responders know what these processes and procedures are, and who needs to be involved in case of an incident.

DFLabs’ integration with PagerDuty will help organizations bridge this gap by taking the complexity out of these differing policies to provide a unified plan of attack. With IncMan SOAR’s automation power and PagerDuty’s automatic workflow notification system, organizations can build their different policies and procedures into one seamless process. This on the other hand allows incident responders to focus their time and efforts on containing a potential threat, confident that the appropriate stakeholders have been notified according to the organization’s incident handling policies.

The Problem

When investigating an active incident there’s a variety of investigational processes and stakeholders to consider. Depending on the type of incident and its severity, security professionals may need the assistance of numerous departments outside of the security operations center.

The need to work in conjunction with these outside departments can make an incident responder’s job even harder. Each department may have different policies and procedures and escalation processes which can cause a responder to waste valuable time trying to decipher. Escalations to an incorrect department or subject matter expert can cause potentially dangerous gaps in an organization’s incident response.

Therefore it is important for an organization to overcome these common security program problems during an incident, having sufficient processes in place to answer the following questions:

  • How can all stakeholders be kept informed during an active incident?

  • How can incident responders ensure all investigative processes are being followed?

  • How can security incidents be escalated to the correct subject matter experts in a timely manner to provide the critical information necessary to contain a threat?

The DFLabs and PagerDuty Solution

DFLabs’ integration with PagerDuty helps organizations to unify their business operations by seamlessly combining the automation power of IncMan SOAR and the robust communication features of PagerDuty to ensure the most relevant evidence is provided to the correct experts in real-time to contain an active incident.

The ability to connect disperse teams during an ongoing security incident provides security teams the insight they need to correctly identify and prioritize a threat. By utilizing PagerDuty to enforce differing policies, procedures, and escalation processes found in large organizations, security professionals can be confident that all steps are taken to rapidly respond to a security threat.

About PagerDuty

PagerDuty is the leading digital operations management platform for businesses. PagerDuty’s on-call management capabilities make it simple to distribute on-call responsibilities across all teams within an organization. PagerDuty helps to enforce accountability and quality as organizations onboard new services at scale with intuitive, flexible scheduling and escalation.

Use Case

Now let’s look a simple use case in action.

A Data Loss Prevention (DLP) solution triggers an alert in IncMan SOAR to the presence of potentially sensitive data being uploaded to GitHub. The DevOps team regularly utilizes GitHub for hosting their projects, but the DLP solution has detected the potential presence of an API key within the uploaded code. IncMan receives the alert and begins to gather information on the user who uploaded the code and downloads the file which was uploaded.

Once the file has been downloaded, IncMan reaches a User Choice decision, which pauses the automation and allows an analyst to review the previously gathered information. If the analyst finds that an API key was indeed present within the uploaded code and poses a risk to the organization, the analyst may choose the User Choice path within IncMan which will cause a new incident to be created in PagerDuty. The raw output from the downloaded file will be added to the PagerDuty incident and a new responder request will be created. This request will follow the predetermined escalation processes agreed upon by the DevOps team.

An email will be sent to the DevOps team subject matter expert to begin scrubbing the sensitive data from the site. Once the email has been sent to the responsible party, IncMan will update the incident to include the assigned responder to the incident.

yuncwrkkMdeFmHoWPixpYLknJRUZuTsWs2YQe3Pwty9PPFIoLnNgyB0K4yrkzbFBshxQsvvARV32uHidsu2yZxl2Iw_bdM110GDg-TzPSbTtlJ-e4ZfKIVVEQBrO_FgP88mSL53G

Summary

The integration between DFLabs and PagerDuty enables enterprises to better organize their operations by combining the automation power or IncMan SOAR, empowered by PagerDuty’s communication features, to rapidly relay incident and alert details to all stakeholders inside and outside the security operations center.

By utilizing PagerDuty’s sophisticated technology for enforcing policies, procedures and processes, each department can build specific processes to incident handling, and security managers can gain confidence in alert and incident response escalation and be rest assured that all steps will be taken to quickly respond to a threat, involving the correct subject matter experts from the outset.

If you are attending RSA Conference 2019 next week in San Francisco, hear more about our integration with PagerDuty during some featured presentations at our booth #3104 in the South Hall on Tuesday March 5 at 12:00 & Wednesday March 6 @ 10:30.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo