Frequently Asked Questions

Frequently Asked Questions

Security Operations Best Practices

What is a Security Operations Center (SOC)?

A Security Operations Center (SOC) is a team of security specialists, responsible for monitoring and analyzing an organization’s security threat landscape, while detecting, containing and responding to a growing number of cyber security alerts and incidents within their network.  By using a combination of technology solutions, as well as adhering to processes and procedures, they can quickly and correctly identify, report on and eliminate threats, minimizing the impact to the organization.   SOCs are usually staffed with a range of security analysts, engineers and managers to ensure security issues are addressed efficiently and effectively upon discovery. 

How can an organization take a proactive approach to enable effective incident response?

With the use of Security Orchestration, Automation and Response (SOAR) technology, such as the IncMan SOAR platform, capabilities including automation, orchestration, data enrichment, as well as the availability of collected threat intelligence information from several sources, facilitates and supports incident responders in assessing, investigating and hunting for threats, improving their overall efficiency and effectiveness.  Reduced mean time to detection and containment, as well as reduced mean time to resolution, will inevitably help to improve your security operations and incident response processes and tasks.

What is the best way to validate security alerts and threats?

The IncMan SOAR platform cuts down threat investigation and validation times with data enrichment and is able to combine several sources of information from various solutions and technologies, that helps separate the real threats from potential false-positive alerts that are often manually worked and drain limited resources.  Automation eliminates some of the extra effort needed to carry out successful incident threat validation, minimizing resolution time, maximizing analyst efficiency as well as increasing the number of handled incidents.  

Standard Operational Procedures

How do standard operational procedures help to improve incident response?

Standard operational processes and procedures provide guidance, instruction and the necessary information needed to mitigate problems in the most appropriate and resourceful way, conforming to policies or even law-abiding regulations.  Well thought out procedures and working instructions provide a method to communicate with the necessary stakeholders and apply consistent practices and standards within an organization, department or team.  They can save time and eliminate mistakes, ensure the desired results, reduce training costs, support quality goals,  as well as enable knowledge transfer and delegation of work.  

Can the IncMan SOAR platform be deployed in any environment?

The IncMan Security, Orchestration, Automation and Response platform can be deployed in a hardware platform or a virtualized environment like VMWARE, while performing high availability and load balancing, multi-tenant architecture and provides a scalable platform that can work with both NAS and SAN.

What ISO standards does DFLabs support?

The CEO and management team of DFLabs are recognized for their industry experience in the information security field, including contributing to the creation of the industry standards such as ISO27043 and ISO30121.

Incident Management

What is the best way to perform effective incident response event validation?

Available incident threat intelligence helps you to distinguish between real security alerts leading to potential incidents and the false positives.  DFLabs patent-pending Automated Responder Knowledge (DR ARK) module applies automatic machine learning to historical responses to threats for incidents of a similar nature, and recommends relevant playbooks, runbooks and paths of action to manage and mitigate them, therefore expediting validation and incident response.

Is it possible to automatically trigger a chain of events to immediately respond to an alert or incident?

Yes, on detection of a new alert, DFLabs R3 Rapid Response Runbooks fully automate the triage, investigation and containment of incidents using conditional and automated actions that allow workflows to execute a variety of data enrichment, notification, containment and custom actions based on complex, stateful and logical decision making.  As more alerts are responded to, over time our Automated Responder Knowledge (ARK) module applies machine learning to historical responses to threats.

Can I integrate the IncMan SOAR platform with separate management applications and solutions?

The IncMan SOAR platform allows you to fuse security intelligence together and enables you to aggregate, correlate and analyze data from hundred of leading 3rd party security and threat intelligence sources.   A classic example of this is a ticketing management system that is typically used across all security operations teams.  As a new security alert notification comes in, IncMan can trigger a new incident ticket to be created as part of its process, alongside carrying out other automated and predefined containment and remediation actions and tasks.  As well as reducing the manual and mundane work of a security analyst in setting up a ticket to start the incident process in the first instance, it speeds up the chain of activities, sometimes eliminating the alert before a security analyst has even seen it.

Customization

How can I customize tools recommended by NIST to collect critical threat intelligence?

NIST and industry best practices recommend that SYSLOGS are configured, monitored and collected to add to threat intelligence and capture events that otherwise would go unnoticed.

What procedures should I follow when implementing a new feature or version of an application or tool?

It is recommended that you follow your organizations’ specific change management practices, one of which may be to open a change record that will notify all relevant stakeholders of the new change and also enable them to track the success of its implementation.  It is important to always have a backup and fall back plan if needed.  Ensure that you provide good documentation to operations a contact and instruction list of what to do in case problems or errors should occur, so they know in advance what actions to carry out in order to correct the issue.

How do I select tools and integrations from 3rd party vendors that meet industry best practices, that will be beneficial to me?

First of all do some research and consider the pros and cons of using the tool or application in your specific environment.  At the same time you should validate that it offers a good live online support, as well as good maintenance support should you need to utilize it at any time. Ensure the tool adheres to industry best practices and any regulatory or legal compliance you need meet.  We would advise you to  follow Cybersecurity Integration Standards with 3rd party vendors especially when it comes to integration to enrich threat intelligence information. TAXII, MISP, REST API, JSON, XML, CSV, PCAP, SNMP, Email, Databases, SYSLOG, WHOIS, PYTHON, Perl PDF, R3, PRISM, etc. would facilitate integration with other third party tools and provide richer intelligence threat information for forensic investigation, analysis and reporting.

Automation and Orchestration

What are the benefits of using automation and orchestration?

Automation and orchestration allows for automatic actions to be triggered such as playbook and runbook events, that can be carried out faster by machine than by a human being.  Often these are repetitive basic, time consuming and mundane tasks.  This enables a faster incident response time, reducing the overall time to containment or remediation of the threat.

The implementation of automation and orchestration consequently allows security analysts to spend their valuable time working on more advanced and high level threats that need some level of human intervention, or even carrying out threat hunting initiatives before an alert has even been triggered.  By utilizing automation and orchestration, not only can processes become more standardized and efficient and it allows for the easy sharing of knowledge and documentation among the team or across teams within the organization, allowing companies to do more with less resource.

How is automation carried out within the IncMan SOAR platform?

DFLabs uses its R3 Rapid Response Runbooks that are created using a visual editor to support granular, stateful and conditional workflows as needed, to automate and orchestrate incident response activities, such as incident triage, stakeholder notification and data context enrichment.

How can I benefit from IncMan's orchestration capabilities?

Orchestration with the IncMan SOAR platform brings the benefit of advanced security intelligence, with aggregation and correlation of information from hundreds of leading 3rd party security and threat intelligence sources using over 35 certified bidirectional connectors.  It can control incident response by applying linear or conditional playbooks that support complex, stateful and conditional logical decision making, combining manual and automatic actions. With automated knowledge sharing using DFLabs ARK module, maintaining and transferring expertise to manage incidents across stakeholders can happen collaboratively and securely, enabling security managers and CISOs to manage and measure operational performance and risk.