Preparation for GDPR has been underway for the last two years. Although last month’s deadline has passed and GDPR is now in effect, there are still many companies in the EU and the rest of the world for that matter, that are still not 100% compliant. A recent survey by Spiceworks revealed that only 25 percent of US companies were thought to be compliant when GDPR went into force. Many of these companies are waiting in anticipation to see the first results and the impact the new legislation will bring once a new major breach has been uncovered. As we wait for that first announcement in the news, the chances are that many new breaches have most likely already occurred post-May 25th but are still yet to be detected and disclosed. Dixons Carphone may be the first, announcing a huge data breach last week involving 5.9 million payment cards and 1.2 million personal data records, but the breach was reported to have taken place last year, pre-GDPR, so the consequences are somewhat unclear.
GDPR is unique in that it is the first major regulation to focus on the end scenario, the impact and aftermath of a breach, especially to the individual, as opposed to focusing solely on the prevention and controls put in place by organizations to prevent a breach in the first place. What seems to have caused the most confusion is that there doesn’t seem to be that “one size fits all” approach for companies to meet GDPR compliance and there have been many different interpretations. Companies must be able to prove they have carried out the necessary risk assessments and put the appropriate policies, processes, and procedures in place given all the risks involved.
Historically it has been more common to associate security controls in conjunction with breach prevention, but today cybersecurity strategies have been turned on their head and security operations teams must assume that a breach has or will occur. It is no longer the “if” scenario and focus is now fully on the “when” scenario. This change in mindset puts incident response, in particular data breach notification and reporting processes, at the forefront of reducing the risk of a data breach as opposed to being an afterthought. Organizations under GDPR now have to notify EU authorities within 72-hours and have to prove that their security programs and responses were appropriate to the situation.
If you are not quite fully GDPR compliant yet, there is no time to wait. Here are 5 steps you should take without due delay.
1. Establish Roles and Responsibilities
Data Protection Officer (DPO) is the latest new job title being created within many organizations. Main responsibilities of the DPO include providing advice on security controls, processes and procedures within the organization, as well as acting as the main point of contract for the supervisory authority. The DPO is not the only role that may be required though, as a proper incident response plan will require many additional roles including an incident response coordinator, legal and compliance resources and human resources to name a few. Stakeholders within the organization will need to be aware of how to effectively put the plans into action. If you are yet to define roles and responsibilities, this is a key first step when tackling GDPR.
Under GDPR it is important to understand what data exists, where it is located, who has access to it and for what purpose it is being used. Only the minimum amount of data to perform the task should be collected and processed and it should not be retained for longer than necessary. If data within the company is unknown then it can’t be protected, putting the company at risk. Knowing where data exists is crucial during incident response and breach notification to ensure you do a comprehensive audit of your business and the data it holds.
To respond to a security incident, a thoroughly planned and documented approach is required to maximize its effectiveness. Without structure and documented processes and procedures in place, an incident response attempt could turn into complete mayhem. The process should comprise of the appropriate tools and tasks, as well as personnel required to respond to the incident, ensuring it covers all scenarios whether large or small. It is also important to document both the high-level plan, as well as the more detailed workflows for handling specific types of security incidents (e.g. runbooks and playbooks). Having this documentation and associated processes and procedures in place will help your organization to demonstrate that a formalized, repeatable process using an appropriate response was followed during a potential breach.
4. Test the Plan Regularly
Having a documented plan is one thing, but ensuring it works and is fully tested is another. GDPR not only requires that security controls are in place but also states that they should be tested and evaluated on a regular basis. This will most likely vary from organization to organization, but we would recommend it should take place at least once a year and include exercises such as breach simulations. As well as meeting this requirement under GDPR it also helps to ensure that all stakeholders within the incident response process are up to date and familiar with their respective role and responsibilities.
5. Ensure Reporting Practices and Proficiencies
The GDPR breach reporting and notification element is probably one of the most challenging aspects to comply with, as 72 hours is a relatively short window to detect, remediate, report on and notify all parties of an incident. Organizations need to be able to gather and analyze large amounts of data from multiple sources, as well as make sense of the data before notifying stakeholders internally and externally. Implementing automated procedures for collecting data and preparing detailed reports based on incident and forensic data is essential, as well as having documented processes in place for issuing notifications to potentially hundreds of thousands of individuals.
As we already know, data breach detection and incident response are never going to be a straightforward process for any organization but GDPR has now leveled the playing field to ensure that all companies are meeting the same baseline requirements or face the possibility of hefty fine and public scrutiny. It is now a critical time for organizations to ensure they have detailed and documented incident response plans and procedures in place to deal with any incident should it occur, as well as the tools they need to help them to more easily comply with the requirements.
If your security operations team is looking for assistance with its incident response program and tools to help the organization to demonstrate GDPR compliance as well as breach notification requirements, these useful resources may help. Read our DFLabs IncMan for GDPR solution brief and whitepaper about Increasing the Effectiveness of Incident Management to learn more.
As malware attacks continue, attackers are going to great lengths to obfuscate both the intent and capabilities of their malicious payloads to evade detection and analysis. In addition, the rate at which new malware is being developed has reached staggering new levels. Zero-day malware is increasingly common in all environments and signature analysis is becoming less effective.
As a result, malware has become increasingly difficult to detect using more traditional detection mechanisms. Once detection occurs, it is often difficult to successfully analyze the malicious file to determine the potential impact and extract indicators. To successfully respond to a potential malware incident and minimize the impact, early detection and analysis are critical.
In this blog, we will briefly discuss how a security operations team can detect, analyze and respond to advanced, evasive malware by utilizing McAfee Advanced Threat Defense (ATD) with DFLabs IncMan SOAR platform, and present a simple use case example.
Utilizing McAfee ATD with DFLabs IncMan SOAR Platform
Early detection, analysis, and extraction of indicators are critical in successfully responding to and remediating a security incident involving malware. McAfee ATD enables organizations to detect advanced, evasive malware and convert threat information into immediate action and protection. Unlike traditional sandboxes, it includes additional inspection capabilities that broaden detection and expose evasive threats. Tight integration between security solutions enables instant sharing of threat information across the environment, enhancing protection and investigation.
DFLabs IncMan and McAfee ATD together solve two specific challenges including; 1) How can I reliably detect malicious files? and 2) How can I determine capabilities and extract indicators from malicious files? Utilizing DFLabs IncMan’s integration with McAfee ATD and with the use of IncMan’s R3 Rapid Response Runbooks, organizations can automate and orchestrate the detection and analysis of suspected advanced and evasive malware, allowing faster and more effective response to malware incidents. In addition, ATD also provides users with critical insights into the capabilities of suspicious files, as well as indicators which may be further enriched through additional automated actions.
Use Case in Action
A potentially malicious file has been detected on a workstation, causing the security operations team to initiate the incident response process. The malicious file has been extracted from the workstation and included in the IncMan Incident as an Artifact. Next, the R3 Runbook predetermined for malware alerts and incidents will be used to scan the file, perform additional enrichment, then block the infected host, if necessary.
To begin, McAfee ATD is used to detonate the potentially malicious file. Once detonation has completed McAfee ATD will return information about the executable, including the determined severity level. Next, a condition is set to determine if the severity returned by McAfee ATD is greater than 0, indicating that the file is likely malicious.
If it is determined by McAfee ATD that the file is likely malicious, an additional enrichment action is utilized to gather additional information from McAfee ePolicy Orchestrator (ePO) regarding the host that the malicious file was detected on. Following this, McAfee ePO is also used to tag the host with the appropriate tags indicating that it may be infected with malware.
Following the additional enrichment actions, a user choice decision point is reached. This user choice decision will prompt the analyst to make a manual decision regarding whether or not the workstation which generated the malware alert should be temporarily blocked from communicating outside the network. All of the enrichment information from the previous actions, including the information from McAfee ATD and ePO will be available to the analyst to assist in the decision-making process.
If the analyst chooses to block this workstation at the perimeter, a containment action will utilize McAfee Web Gateway to block the IP of the workstation until further investigation and remediation can be conducted.
By harnessing the power of McAfee ATD, along with the additional orchestration, automation and response features of DFLabs’ IncMan SOAR platform, organizations can elevate their incident response process, leading to faster and more effective response and reduced risk across the entire organization. With malware continuing to be one of the top cyber attacks, it is critical that security operations have a streamlined process in place in order to be able to detect and respond to such security alerts.
If you would like to see a more in-depth demo of this use case in action, or other use cases within IncMan, please get in touch.
Cyber threat intelligence (CTI) is an advanced process that helps an organization to collect valuable insights into situational and contextual risks that can be chained with the organization’s specific threat landscape, markets, and industrial processes. Having said this, deploying a Threat Intelligence Platform alone is rarely sufficient enough to address the complexities experienced in today’s Security Operations Center (SOC) environment.
These sources of threat intelligence can be of significant value when assessing organizational vulnerabilities and provide the necessary insight into more than just infection vectors. Threat intelligence provides organizations with the knowledge to effectively correlate data from a number of disparate sources to anticipate attacks before they occur. This directly addresses the three issues most commonly facing responders today; the prioritization of incoming incidents, reducing response time and aggregating data from a number of sources to provide the clearest picture of an incident.
Designing the most appropriate method of integrating threat intelligence into your information security infrastructure has never been easier. Orchestration and automation platforms such as IncMan SOAR from DFLabs has successfully been used to rapidly integrate threat intelligence into the incident response infrastructure, including Structured Threat Information eXpression (STIX), Trusted Automated eXchange of Indicator Information (TAXII) and other threat intelligence sources. These repositories are based upon community standards that enable the transportation of cyber threat intelligence between intelligence sources and IT security teams. Further, they strive to facilitate the re-alignment of efforts in proactive IT security that are based on real-time information that exchanges threat information between commercial suppliers, the government, non-profit efforts and industrial partners.
These sources of threat intelligence, once integrated into an incident orchestration platform can now be leveraged to evaluate risks, assess potential damages and proactively correlate threat vectors. By doing so they can automate the prioritization of incoming incidents based on expert forecasts which will help assess the threat tactics, techniques and procedures (TTPs), and provide the formation of a comprehensive incident response strategy by not only identifying the possible attack vector but possible actors as well.
Today’s cybercrime environment involves tactics and techniques that can wreak havoc within our networks in a very brief period of time. These threats have a far reach irrespective of industry or infrastructure classification. Given this speed, it is imperative that we implement a comprehensive threat intelligence program that leverages a centralized orchestration and response platform and permits organizations to aggressively address the constantly changing threat landscapes as a combined effort.
Attackers have long embraced the concept of automation. Although attackers were likely automating their attacks prior to the Morris worm, in 1988 the Morris worm brought attack automation to the attention of the security industry when it brought down a large portion of the Internet. Since then, the sophistication of attack automation has increased exponentially. Frameworks such as the Metasploit Framework allow attackers to script the entire attack process, from information gathering to exploitation, to post-exploitation and data exfiltration. This sort of automation has allowed the attackers to exploit systems with much greater efficiency.
According to the 2017 SANS Incident Response Survey, almost 50% of organizations who responded reported average detection to containment times of greater than 24 hours. Put another way, almost half of these organizations are allowing attackers to remain in their networks for more than a day after they have first been detected, and that does not even include the time that elapses from compromise to detection. Even an unskilled attacker can cause catastrophic damage to an organization with 24 hours of uninterrupted exploitation time. A skilled attacker automating network reconnaissance, establishing persistence on additional hosts and performing data exfiltration, can cause damage in 24 hours that it will take an organization months to fully discover and recover from.
Three decades later, why have we as a security industry been so slow to adopt the same methods of automation? Sure, we have long automated portions of the incident response process, such as automatically removing detected malicious files or automatically quarantining suspicious emails, but we have yet to achieve the sort of automation efficiency that has been being used by attackers for decades. Even for commodity attacks, this level of automation is often ineffective as attackers have adapted to include multiple mechanisms to maintain persistence when a single file or registry key is deleted. To a skilled and determined attacker, this level of automated prevention is trivial to bypass in most instances.
Attackers have learned that automating large portions of the steps along the Cyber Kill Chain allow them to more quickly infiltrate a single target, as well as more efficiently attack multiple targets. Why then has the security industry yet to follow suit and automate larger portions of the incident response lifecycle? The two most commonly encounter objections are that is it not possible or too risky to automate larger portions of the incident response lifecycle. The answer to the first objection is easy; it is certainly possible. The emergence of Security Orchestration, Automation and Response (SOAR) platforms, such as DFLabs IncMan, have made automation of a large part of the incident response lifecycle possible.
The answer to the second objection to automation is a little more complicated. There is certainly reason for a cautious approach to automating more of the incident response lifecycle, especially when we consider automating containment, eradication, and recovery. After all, there is little risk to the attackers when their automation fails; they may be detected or they may not successfully exploit the target. In either case, the attacker can simply try another method, or move on to the next target. The potential risk is much greater for organizations automating the incident response process. Automatically containing a business-critical system because of a malware detection or automatically blocking business-critical IP address because it was erroneously flagged as malicious, could cost an organization millions of dollars.
While these risks can never be completely eliminated, automation processes and technology have reached a level at which failing to embrace greater levels of automation carries with it significantly more risk than implementing automation in a well-planned, controlled manner. Appropriate automation pre-planning, identifying the repeatable processes which can most safely and easily be automated and carry the greatest risk/reward benefit, maximizes the benefit of increased automation. Proper use of both internal and external sources of enrichment information, such as threat intelligence and internal databases, to inform the automation containment decision process can greatly reduce the risk of containment actions which could negatively impact the organization. In addition, many SOAR platforms have incorporated the ability to include human input during critical decision points in the automation process. For example, IncMan’s Dual-Mode Orchestration allows users to switch between automated actions and human intervention at critical junctures in the response process, allowing the majority of the process to be automated while still permitting human input and reducing the risks posed by pure automation in some critical processes.
Although we are likely still decades away from the proverbial incident response “easy button”, or being able to say “Alexa, remediate that threat”, the current threat landscape is also demanding that we do more with less and respond faster, and that means automation. SOAR platforms are no longer just “nice to have” technologies, they are becoming a requirement for organizations to remain one step ahead of the onslaught of attacks. As an industry, we must continue to learn from our adversaries and continue to embrace increasing levels of automation.
For more information about using automation check out our resources created in conjunction with the SANS Institute, including the white paper entitled “SOC Automation – Deliverance or Disaster” and webinar “Myths and Best Practices Surrounding SOC Automation”.
With the GDPR going into effect this week, organizations that this new data protection regulation applies to are left with little time to make sure they have completed the preparations needed in order to achieve compliance with all provisions it entails. The GDPR is aimed at protecting consumer data privacy, and organizations that control and manage personal information of EU citizens in any capacity have until May 25th to adjust their procedures with regards to protection against, and respond to data breaches, in accordance with the new legislation.
Specific measures that organizations have to implement include formalized incident response procedures and internal data breach notification processes, along with demonstration of capability to notify authorities and data subjects in the event of a data breach within a strictly specified timeframe. Putting these measures in place can be an expensive and extremely complicated process, but absolutely necessary nonetheless. Therefore organizations can probably use all the help they can get to reduce the costs associated with meeting GDPR breach notification requirements while streamlining their existing processes as much as possible. This is where a host of security tools come into play, with a vast amount of different solutions available to choose from. While variety and choice is good, on the other hand it can also cause a headache for security professionals, making it difficult for them to make an informed decision and to choose the most cost-effective and relevant solution to cater for their needs.
To make it easier for security professionals to evaluate what they need in order to make sure their organizations are compliant with the upcoming GDPR requirements, this post will offer an overview of the most essential tools and why they are essential for GDPR breach notification compliance.
One of the most important elements of GDPR compliance is how organizations respond to cyber incidents, particularly as it relates to breach notification procedures. Among other things, the GDPR requires that in the event of a data breach that has an impact of data subjects, the affected organization notify the appropriate supervisory authorities within 72 hours of the moment the breach occurred. This is arguably one of the GDPR requirements that organizations are most concerned about, as it involves a short timeframe within which they must not only detect and contain the breach, but be able to fully report on the details while following strict protocols, including documenting the events and making sure the proper incident response and case management procedures have been followed. Failure to comply with these rules can lead to severe and long-lasting consequences, damaging organizations’ reputation as well as their bottom line.
In order to be able to gather evidence and document a data breach and provide proof to authorities that the appropriate formalized procedures have been followed, organizations need a tool that can help make that process as streamlined as possible. That’s exactly the purpose of incident response and case management solutions, which are designed to allow reactions to incidents to be immediate and thorough by following set procedures, processes and workflows. These solutions have the ability to perform effective case management, including creation of an incident record, task assignment and management, evidence collation and analysis, along with data sharing and reporting, all of which are essential elements of meeting various GDPR requirements.
Automated and Orchestrated Response
In addition to case management and incident response procedures, organizations should be looking to automate and orchestrate their response to incidents such as breaches as much as possible. 72 hrs will lapse very fast and it is critical to get these potential incidents under control as soon as possible. With increasing numbers of alerts being received by security teams while usually facing the issue of limited resources, this not only accelerates the mean time to detection and mean time to resolution of potential incidents, but also helps to meet GDPR compliance timeframes.
Security orchestration, automation and response (SOAR) solutions can do this by providing incident response and breach notification playbooks specifically designed to align an organization’s reaction to these types of events with GDPR best practices in mind. They also entail specific GDPR workflows that can be automatically enforced, repeated and formalized, which is another important aspect of achieving GDPR compliance.
How DFLabs IncMan SOAR Platform Can Help
Meeting GDPR requirements and being able to demonstrate compliance takes a comprehensive approach that inevitably requires the implementation of a set of tools that have the capability to ensure a proper implementation of the required procedures in the event of a data breach impacting data subjects. Having a platform in place to formalize and support these requirements is crucial, so why use multiple tools and solutions when you can just use one?
DFLabs IncMan SOAR platform combines incident response and case management processes with comprehensive automation and orchestration functions. This enables organizations to fully adhere to breach notification requirements by implementing an incident response plan in case of a potential breach, automating associated processes, prioritizing incident response and related enrichment and containment actions, managing notification distribution and subsequent advanced reporting documentation of any incident.
Worldwide infrastructure outages caused by DDoS attacks are continuing to be a growing threat to today’s organizations as attackers find new ways to bypass existing mitigation technologies. According to a recent report by Kaspersky, DDoS attacks in Q1 2018 were at an all-time high in terms of both volume and duration. In addition to these growing numbers of attacks, organizations are experiencing a shortage of experienced cybersecurity professionals, making it more difficult to effectively defend their infrastructure and quickly remediate such attacks.
How SOAR Tools Can Help Expedite DDoS Incident Response
Manual data collection is time-consuming and requires an individual to manually access each tool to get the specific information they require, then export the data and manually perform data correlation. Depending on the organization’s workflow, the information may also need to be added to the incident management ticketing system in order to be shared with other teams within the organization. This process requires a skillful analyst to spend a significant amount of time performing mundane and repetitive tasks which can easily be automated, greatly reducing their value to the organization.
A security orchestration, automation, and response (SOAR) platform, properly integrated into the security program, can help maximize the value of these skilled analysts. The IncMan SOAR platform from DFLabs allows security program administrators to create automated, conditional workflows to respond to incidents such as a DDoS attack though IncMan’s R3 Rapid Response Runbooks. These runbooks allow the automation of mundane, repetitive tasks, while IncMan’s Dual Mode Orchestration technology allows security program administrators to ensure that human intervention, oversight or approval is required when necessary. This allows security analysts to focus solely on the tasks which require human input, allowing organizations to maximize the efficiency of their security teams, as well as speed up the mean time to detection (MTTD) and mean time to resolution (MTTR).
IncMan SOAR is able to collect data from sources such as email, syslogs, database queries, as well as custom scripts and an assortment of bi-directional integrations with third-party solutions. With the right SOAR solution in place, it is possible to expedite data collection, collect threat intelligence and acquire forensic information from automatically triggered actions, notify the appropriate stakeholders and conduct supervised containment actions when appropriate. The use of the platform will heavily reduce the number of manual and mundane tasks that the analyst needs to perform, freeing up their time to complete more in-depth analysis and incident mitigation.
How Can Threat Intelligence Prevent DDoS Attacks?
A vast amount of threat data is being generated from a number of security tools and other data sources on an ongoing basis. It is critical that this information is accurately collected, stored and applied in order for the intelligence to be actionable and provide benefit to the organization.
Using the analogy of cooking, there is little value in having all of the ingredients for a recipe without the proper context regarding how each ingredient is used. Simply throwing all of the ingredients into a single pot will not create a culinary masterpiece and will not produce the desired results. The same concept applies to threat intelligence data. The vast amount of threat data is of little value to a security team without the proper context. The right SOAR platform should assist the security team in correlating this threat data, turning a list of ingredients into a proper dish, or threat data into actionable threat intelligence.
Accurately correlated threat intelligence can provide critical insight to inform decisions as well as to contain and mitigate present and future attacks. Intelligence data should be made available in multiple forms, including visualizations, to assist security analysts in correctly understanding the full context of the information. Correlation graphs and search capabilities can also be utilized to enable threat hunting, allowing security analysts to proactively seek out threats which may be looming or have gone undetected by automated detection technologies.
The Best Approach to Prevent DDoS Attacks
A layered approach of defense is the best method to prevent, or at the very least minimize the impact of a DDoS attack, while eliminating any single points of failure. Maintaining network baseline information, monitoring the network for any anomalies and ensuring all systems remain patched are all critical components of DDoS mitigation.
For critical systems which cannot tolerate any downtime, it is important to have a documented DDoS mitigation strategy in place. DDoS mitigation strategies may vary depending on the type of network being protected and the maximum tolerable downtime, however, may include high availability or redundant systems, backup connections or DDoS scrubbing services.
DDoS attacks represent a dominant threat and often target organizations that provide a service to a wide customer base, area or network in order to have the largest impact. DDoS attacks are also continuing to become more complex and larger in size, as recently seen in the attacks on GitHub in early March which generated 1.3 Tbs of traffic, shortly to be followed by another attack of 1.7 Tbs two weeks later.
Some organizations are now experiencing over 10,000 threat events weekly; an overwhelming number of events to be manually investigated and mitigated by incident responders. A SOAR solution will act as a force multiplier, enabling security teams to do more with fewer resources, and will help reduce the MTTD and MTTR, proactively helping to respond to future alerts and even preventing incidents from occurring in the first instance. Historical event and data correlation is critical and can be used to identify security gaps, harden networks and allow for early detection of potential security incidents, further increasing the ROI of a SOAR platform.
Regardless of the number of cyber security events you attend, their specific focus, size or location, there are always several important items on the agenda and key takeaways for both security professionals and security vendors alike, which keeps us going back for more.
Cyber security professionals attend these events to gather with people who share the same interest and expertise as they do, to learn about new and upcoming things in the industry, to network and meet people, as well as seek out potential vendor solutions to solve their common day challenges and pain points.
On the flipside, cyber security vendors want to do pretty much the same in terms of hearing about the latest trends and advancements in technologies and solutions, while taking the opportunity to meet and network with like-minded people, as today we tend to largely focus our communications less formally over email and social networks, rather than by using the old-fashioned face to face method. If they can, they will, of course, want to showcase their solution first-hand, so the full benefits can be seen, which isn’t a bad thing, as face to face meetings are becoming somewhat few and far between.
There are literally hundreds happening daily, weekly, monthly on a global scale, too many to possibly count. Conferences and events DFLabs has recently participated in include probably the most renowned event, RSA Conference US in San Francisco, as well as last week’s GISEC event in Dubai, which were great successes, meeting with new prospects, existing customers, as well as channel and technology partners. If you didn’t get a chance to meet up with us then, feel free to drop us a line.
So how do you choose which ones to attend? This will depend on a number of deciding factors personal to you, including your agenda, the event program, what you want to achieve, size, location, cost of attending, as well as what fits in with juggling your busy schedule and availability. If Security Orchestration, Automation, and Response (SOAR) is a high priority on your list, these are some of the events to look out for and plan to attend in the next few months.
Upcoming Events: 5-7 June, London, UK
Coming into its 23rd year, Infosecurity Europe continues to be the main hub for cyber security professionals to gather and meet in the city once a year, featuring a comprehensive conference program with a large host of exhibitors. With nearly 20,000 expected visitors, it is a huge networking opportunity for most, so don’t forget to register here.
With only 4 weeks to go, contact me to schedule a date and time in your diary now to meet with one of the DFLabs team. If you don’t like the hustle and bustle of the expo floor, not a problem, we would be happy to meet in a quieter setting outside of the conference hall.
Upcoming Events: 26-28 June, Marina Bay Sands, Singapore
ConnectTechAsia consists of three events encompassing CommunicAsia, BroadcastAsia and its latest addition NXTAsia. Covering the entire spectrum of communication, broadcast, and enterprise technology and services it is where technology ideas and business converge.
Meet DFLabs at NXTAsia where you can visit us on stand #5H2-08 to learn more about how to leverage your existing security operations tools with Security Orchestration, Automation and Response (SOAR) technology. Also listen to our VP of Engineering, Andrea Fumagalli to hear more about the benefits of utilizing a SOAR solution in the NXTAsia Theatre on 28th June at 15:15. Save the date, register now and ensure you reach out to us to arrange to meet up.
The SANS Institute is one of the most trusted and largest sources for information security training and security certification in the world, with over 165,000 members. Established in 1989 as a cooperative research and education organization, it is now home to the largest collection of research documents about various aspects of information security. Hosting a number of summits, it educates delegates on a vast number of topics including Security Awareness, Cyber Threat Intelligence, and Security Operations to name a few.
DFLabs will be sponsoring the Security Operations Summit at the end of July, where you will be able to meet with us, as well as listen to our Lunch and Learn session hosted on Day 1. John Moran, Senior Product Manager from DFLabs will also be speaking at the Threat Hunting and Incident Response Summit in September on the topic “Threat Hunting Using Live Box Forensics”, so save the dates in your diaries. More information and event details are available here.
Upcoming Events: 4-9 August – Las Vegas, US & 3-6 December – London, UK
Black Hat is one of the most technical global information security event in the world, running for 20+ years. It provides attendees with the very latest research, development, and trends driven by the needs of the security community in the form of briefings and trainings. You can meet some of the friendliest hackers here!
DFLabs has a booth at both events and will be networking on the floor throughout. Visit us in Vegas at booth #2329 within the Innovation City, or in London later in the year at booth #1010. Learn more and arrange to meet us, whichever side of the pond you are on.
There will be many other upcoming opportunities to meet up with us throughout the year, but if you are attending one of these events this summer and would like to organize something ahead of time, please do get in touch to arrange a suitable time and a place. We look forward to meeting you. Or alternatively why wait? Arrange for an informal chat and a demo today.
With a vast range of security technologies, tools and platforms now widely available in the market for security teams, it is ever more complex to decide which tools are best to deploy to suitably defend the organization’s infrastructure.
Within security structures of larger organizations, it is common to have a security information and event management (SIEM) tool in place, alongside or sitting on top of several other systems, but how can it benefit from implementing a Security Orchestration, Automation and Response (SOAR) solution on top of its existing SIEM infrastructure to further manage its security operations and incident response processes and tasks? Let’s find out.
In simple terms, a SIEM collates and analyses the information generated from various sources, identifying issues and raising the initial security alerts. Alert triage is then often carried out by security analysts in a very manual and non-methodical way and subject to mistakes and errors due to the sheer volumes and number of repetitive and mundane actions required, often not being able to fulfill all of them. One of the original core drivers for SIEM technology was to ingest and process large volumes of security events; a function which SIEMs continue to excel at today. However, although some advanced SIEMs have incorporated additional features, such as integration with threat intelligence and other third-party solutions, many SIEMs are still largely focused on data ingestion and presentation.
Another fundamental limitation of many SIEM solutions is that the communication between the SIEM and other third-party products is unidirectional. SIEMs were designed to ingest information, however, support for two-way communication with third-party tools is often limited at best. In most cases, this severely limits a SIEM’s ability to carry out actions beyond the initial alert; this is where a SOAR solution can add significant additional value.
A SOAR solution, on the other hand, is often used in conjunction with a SIEM, however, it is not dependent on having a SIEM in place. A SOAR solution is not intended to be a SIEM replacement, instead, when used in conjunction with a SIEM it is intended to be utilized to help security teams automate and orchestrate actions across their entire portfolio of security products in a bidirectional manner to reduce analyst workload, alert fatigue, time to respond and remediate and reduce overall risk.
Sitting on top of the SIEM, the SOAR solution would orchestrate and automate multiple third-party tools from different vendors, whereas the SIEM would be used to collate and analyze data and generate the alert, which is just the first step of a multistep process. SOAR technology would then be leveraged once the initial security threat had been detected and the security alert generated by the SIEM.
The amount of security events that cybersecurity professionals deal with on a day to day basis can be overwhelming and analysts often have to delve through a deluge of data to find what they are looking for, ultimately preventing them from tackling incidents more efficiently. SIEM tools collect large amounts of information from different areas of the IT framework, but too much information sometimes is just as crippling as not enough information.
A SIEM used in isolation helps to centralize information gathered from various other security tools being used, but it can often lead to an overwhelming amount of information, that then needs to be filtered and correlated to eliminate the false positives to leave only the critical events that need to be acted upon. It can produce a vast quantity of security alerts, leaving security analysts inundated, not knowing which alerts should take priority and be tackled first. This will have a negative impact on the security team, with what is already considered a scarce resource.
Most security teams do not realize the sheer number of alerts that will be received and the resulting alert fatigue until they have deployed a SIEM and a full advanced threat detection architecture. There is a common misconception that a SIEM will reduce the number of incoming alerts by applying correlation rules. However, this is not always the case and correlation rules may only reduce a small percentage of the total number of alerts. Most enterprises will see a clear business need for implementing a SOAR solution to help reduce alert fatigue, orchestrate the organization’s different security tools and automate menial tasks.
Integrating a SIEM with a SOAR solution combines the power of each to create a more robust, efficient and responsive security program. Taking advantage of the SIEM’s ability to ingest large volumes of data and generate alerts, the SOAR solution can be layered on top of the SIEM to manage the incident response process to each alert, automating and orchestrating a number of mundane and repetitive tasks that would take many manual man hours to complete.
SOAR solutions such as IncMan from DFLabs support SIEM integrations and present a comprehensive solution for all organizations that are trying to create a successful and affordable security program, by effectively reducing the noise generated by a high number of alerts and sometimes less than reliable threat intelligence. This can ultimately enable security teams to minimize incident resolution time, maximize analyst efficiency and overall increase handled incidents.
The combined power of a SOAR solution working alongside a SIEM is crucial to ensure that alerts do not go untouched or ignored. More importantly, it ensures all alerts are dealt with in a timely manner and are acted upon following a standard set of consistent and repeatable practices and procedures.
A SIEM is a crucial tool within any security infrastructure, amongst other tools. However, it is critical to keep in mind what a SIEM is designed to achieve, and what gaps may still exist within the security program. The combination of a SIEM and a SOAR solution can transform the security operations and incident response capability and take it from one level to the next, in an intelligent and predetermined manner, so why wait? To learn more about the topic read our new whitepaper “How to Leverage Your Existing SIEM Tool with SOAR Technology”
The increase in the number and complexity of cybersecurity threats and attacks in the last several years is continuing to heavily influence enterprise security decisions. As well as seeing the growing business need, the significant benefit that Security Orchestration, Automation and Response (SOAR) technology can offer security operations and incident response teams is now truly being realized.
The complexity of cyber attacks has increased the need for organizations to share threat intelligence information within different areas of the business, and today may even include external stakeholders such as law enforcement or government agencies, to enable them to detect, contain and mitigate the constant and diverse cyber attacks that are occurring. Choosing the right SOAR tool can bring significant added value to an organization’s security operations, not only in terms of full incident lifecycle automation, (including triage, notification, context enrichment, hunting and investigation, as well as threat containment), but it can also enable incidents to be detected, responded to and mitigated more efficiently than ever before, ultimately becoming a force multiplier, enabling security teams to do more, respond faster, all with less resources.
It is key for any security team to ensure the security tools, technologies and platforms they implement are best suited for their infrastructure, workflows, processes, and procedures. Every set up likely varies from organization to organization. So, what questions should you be asking yourself as a security manager or CISO when it comes to selecting the appropriate SOAR solution? It is important to perform research, evaluate the tools and request a proof of concept before you invest in any SOAR tool. Here, we will cover 5 fundamental areas that should be considered as part of the process.
Human Manual Actions or Machine Automated Actions?
Incident response teams are now in constant defense mode as the number of security alerts being generated is hitting an all-time high. In addition to the increasing and advancing threat challenges, many security teams now face a lack of skilled workforce that can efficiently react, investigate and collect the necessary threat intelligence to properly determine the impact of an attack, then contain and remediate it. It is no secret that there is a lack of skilled cybersecurity professionals in the industry, but this fact is also well known by attackers. A skilled analyst will know exactly what information is needed to assess a situation and quickly eliminate the attack by containing and remediating the threat. Humans, even when very skilled, do have limitations on how fast they can react and access, collect, analyze and correlate information to gather proper threat intelligence.
Therefore, it is important to assess your resources and answer key questions including: Are all your alerts being responded to or are they falling along the wayside? Are analysts overworked and suffering from alert fatigue? Would it be more effective and efficient for them to be working on higher level prioritized tasks, as opposed to basic, mundane, repetitive ones that could potentially be automated? If the answer is yes to any of these questions, then some form of automation would make a significant impact on the operational performance of your security team.
When analyzing a SOAR solution, you should also consider one that enables both human actions and automated machine actions to work hand in hand simultaneously. Dual-action will enable you to automate the menial, repetitive tasks, but also ensure those tasks that need human intervention can also easily be actioned.
Which Existing Software and Solution Integrations Does It Have?
The average security team uses somewhere between 10 to 15 key security tools from third-party security vendors, including tools such as system information and event management (SIEM), intrusion prevention system (IPS), endpoint detection and response (EDR), malware sandboxes and threat intelligence. A SOAR tool should easily integrate with these third-party technologies to provide bi-directional support for a number of different actions to expedite the incident response process. The selected SOAR tool should not only support cybersecurity standards and best practices, but also APIs and interfaces to other tools which would be beneficial. The tool should also support queries into databases to facilitate obtaining enrichment information. Widely used communication methods, such as syslog and email should be supported as they allow the transmission of data from a large number of third-party tools.
It is crucial to evaluate the security tools currently in use and ensure they are capable of being integrated into the SOAR platform, which will ultimately be used to orchestrate and automate these security tools.
Does it Aid Regulatory Compliance?
SOAR vendors that endeavor to ensure their products and solutions follow industry best practices and standards, such as ISO, NIST, CERT, SOA, COBIT, OWASP, MITRE, OASIS, PCI, HIPAA, offer the best products, factoring these into the planning, architecture, design and build development stages.
Vendors which are able to think ahead of the curve and have the ability to cater for a range of industries and their respective compliance, regulations, and standards across worldwide locations offer the best solutions, as large enterprises need to meet their day to day business needs as well as their security needs. One example is the upcoming Global Data Protection Regulation (GDPR) where breach notification is required within 72 hours. Your SOAR solution needs to be able to cater for this need and ensure it can provide a complete and user-friendly incident report as needed for varying levels of stakeholders.
When choosing a SOAR solution, it is important to make a list of all the regulations, standards and best practices that you need to meet and ensure the SOAR provider can address these requirements.
What is the True Cost of the Tool?
The price of SOAR solution can be a significant consideration. Most SOAR products are charged per number of users per license per year, but you need to ensure there are no extra hidden costs associated, especially for those that are complex and may require professional services to be deployed.
Questions that should be asked include:
– Is the deployment and general day to day use for analysts straightforward?
– Are professional services needed to configure and deploy the solution?
– How long does it take to implement and customize the solution?
– Is basic support included in the price?
– Is additional product support maintenance available?
– Does the vendor provide playbooks and runbooks that can be customized?
One factor that is often overlooked is the price to feature ratio. Remember to evaluate which features will actually be needed versus which would be nice to have or simply won’t be utilized. Select a vendor that can offer affordable tools with no hidden costs and are willing to offer a license and maintenance price that works well for your budget and requirements.
What Product Support
As mentioned above, product support often comes at a price, so it is important to establish what support is included in the base price. Being able to obtain a high level of service and support from the SOAR vendor is an important consideration from the perspective of the success of the rollout, assessing the overall cost and day to day maintenance. Some of the questions that should be asked here are:
– What does the basic support package include?
– What is the cost of extended support?
– When is support available?
– Does the vendor have a significant presence in the region of operation? For example, some SOAR vendors are primarily U.S. based, so if an organization is based in EMEA, ASIA or Latin-America, they may not provide the level of support required.
Support costs can significantly drive up the cost of deployment and should be assessed in the early stages of the procurement process as it is important to establish how much can be achieved directly by the security analysts and engineers internally. Security team managers and CISOs have to ultimately measure the increase in performance of security operations and justify the return of investment received.
Overall, deciding whether or not to implement a SOAR solution should come down to the pure facts and figures from analyzing your current security operations performance against a number of KPIs and metrics and identifying the business need for it. Will it solve your common pain points and challenges such as a lack of skilled resources, the increasing number of alerts, etc. In most cases, the answer will be yes!
Weighing up the SOAR solutions out there then becomes the harder challenge. It is worth reviewing Gartner’s approach to SOAR, as well as making a list of requirements that you know must be covered to effectively work within your current and future infrastructure, those that are nice to have and those that are not so important to you. Overall though, the solution needs to be easy to implement, scalable, cost-effective and something that will enhance the overall performance of the security operations, improving the efficiency and effectiveness of the way incidents are managed.
If you would like to see DFLabs’ SOAR solution in action, request a demo of our IncMan SOAR platform today and get your questions answered.
DFLabs is excited to announce two new technology partnerships with recognized industry leaders: Recorded Future and Tufin. Both Recorded Future and Tufin recently launched formal technology partnership programs and DFLabs is honored to be among the first technology partners to join. Each of these integrations adds significant value to the security programs of our joint customers, allowing them to more efficiently and effectively respond to computer security incidents and reduce risk across the organization.
DFLabs’ new integration with Recorded Future allows joint customers to automate the retrieval of contextualized threat intelligence from Recorded Future, orchestrating these data enrichment actions into the overall incident response workflow. This enriched information can be used within the R3 Rapid Response Runbooks of IncMan SOAR to inform further automated decisions or can be reviewed by analysts as part of the response process.
DFLabs’ integration with Recorded Future includes five enrichment actions: Domain, File, IP and URL reputation queries, as well as a threat intelligence search action. Each of these enrichment actions will return all relevant intelligence on the queried entity, as well as a direct link to the Recorded Future Info Card.
DFLabs’ new integration with Tufin allows joint customers to automate the retrieval of actionable network intelligence from Tufin’s rich sources of network data, providing further context surrounding the organization’s network, allowing for more informed automated and manual decisions. This network intelligence can be used within the R3 Rapid Response Runbooks of IncMan SOAR to make decisions based on numerous factors, such as network device information, simulated path information or network policy rules, or can also be reviewed by analysts as part of the response process.
DFLabs’ integration with Tufin includes five enrichment actions: Get Devices (get network device information based on the supplied parameters), Get Path and Get Path Image (simulate the path which would be taken based on source and destination IP and port information), Get Policies by Device (get network policies for the given device ID), Get Rule Count (get the number of rules which match the specified parameters), and Get Rules by Device (get network rules for the given device ID).
See the DFLabs IncMan SOAR Platform Integrations in Action
Each of these new partnerships extends DFLabs automation and orchestration capabilities into new product spaces with some of the best solutions in their respective classes.
If you are attending the RSA Conference at the Moscone Center in San Francisco and would like to see DFLabs’ new integration with Tufin in action, I will be at the Tufin booth (#929) in the South Expo Hall on Wednesday, April 18th from 3:00 to 4:00 PM PST to provide a live demo and answer any questions.
Otherwise, for more information regarding our new Recorded Future and Tufin partnerships, please contact us to schedule a demo to see IncMan SOAR Platform in action here.