Get Started with a One-to-One Personalized Demo
Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.
The goal of this use case is to demonstrate how IncMan’s integrations and R3 Rapid Response Runbooks quickly alert the security team about potential cyber threats. In this process, SOC operators are enabled to make a fast and well-informed decision regarding a possible threat via automation, or they can choose to manually handle the evaluation of the security alert and related courses of action.
The first step is receiving an alert related to the industrial machine status via multiple alerts (email, syslog, or others). In case of a threshold exceeding event or deviation from normal working, a baseline is converted into an alert and sent to IncMan.
Then, IncMan starts with a series of enrichment actions. For instance, it can start by retrieving the latest events related to the industrial machine under analysis from Alleantia. Afterward, those logs are stored inside the incident container created in IncMan. For each log, a subset of information is extracted, and the analysis process starts in order to determine whether some host systems, voluntarily or not, sent commands to the industrial machine. The analysis output contains the host list that interacted with the industrial machine.
The host list is used to query Cisco Cyber Vision in order to extract more information about host like, for example:
Once this data is automatically collected by IncMan, which would only take a few minutes, the SOC operator responds. Then, IncMan generates a series of User Choices for a specific user, or group of users, asking what the next steps should be.
If the host can be considered as “trusted,” IncMan makes an assessment and analyzes if any escalation is needed or if it is possible to close the incident as a false positive. In addition, the SOC operators are asked if the industrial machine needs to be restarted or if any commands should be sent in order to reactivate the normal operations.
If the host is considered as “not trusted,” an extra enrichment step can be executed, asking the SIEM relevant questions regarding the enrichment phase, such as:
After those enrichment actions, the user can decide to: isolate the host from the network using a Cisco technology like Cisco ISE or leave this task as a manual intervention to be performed by an authorized operator.
In case the host is recently added to the network, IncMan SOAR can update the SOC operators with the new information collected from the moment the host was added to the network.
Figure 1 – Industrial Security Runbook
Depending on the information received in the alert, SOC operators can determine whether the alert can pass as a false positive or whether it can pose an actual threat to the system. If so, the SOC operators can decide whether they want to manually pursue the remediation phase and choose the course of actions themselves, or whether they want to apply automation to the task in hand.
Either way, IncMan SOAR’s enrichment phase utilizes the extracted information from the Runbook’s actions to create a valid assessment of the alert and provide the SOC operators with the opportunity to single-handedly carry out the rest of the remediation phase by providing them with valuable information regarding the alert, and if the SOC operators deem that the alert doesn’t require human interaction, they apply automation to finalize the remainder of the remediation phase.
Thanks to IncMan’s prompt and thorough enrichment phase, SOC operators can make an accurate decision regarding an alert and carry out the remediation processes in the most effective manner.
Download our eBook "The Most Comprehensive eBook on SOAR Use Cases", and learn how to automate your security operations workflow, accelerate the efficiency of your SecOps team, and combat cyber threats with the power of SOAR technology.
DFLabs / 11 Jun 2020
Financial institutions are a constant target of intrusion attempts, which underline the need of adding cyber security technologies that are capable of nullifying the risk of potential cyber attacks.
DFLabs / 4 Jun 2020
The goal of this use case is to demonstrate how IncMan’s integrations and R3 Rapid Response Runbooks quickly alert the security team about a potential insider threat.
Heather Hixon / 22 Oct 2019
This use case demonstrates how to use IncMan’s integrations and R3 Rapid Response Runbooks to quickly alert the security team to a potential insider threat, perform initial triage to determine the potential risk to the organization and create a helpdesk ticket to notify the team responsible for remediation.
See IncMan SOAR in Action.