Achieve Full Visibility and Accelerated Response with DFLabs and RSA NetWitness

Back to all articles

Accelerated Response

To effectively secure and defend modern networked environments an organization must have the ability to not only observe activity across their entire operation, but they must also be able to direct their network and security products to act on their behalf.

DFLabs’ integration with RSA NetWitness provides organizations with the tools necessary to achieve both full visibility and accelerated response to help fight back against advanced attacks. Through NetWitness’ advanced analytics and ability to collect data across multiple capture points, and with DFLabs’ automation power and product orchestration capabilities incorporated within its IncMan SOAR platform, this integration will help equip organizations with an added layer of protection against the threats posed towards them.

The Problem

Today’s networked environments are more complex than ever before. Between on-premise, public cloud, and hybrid deployments, it’s no wonder organizations are finding it harder to obtain complete visibility into their environments.

Having this level of visibility is paramount as attackers have evolved their tactics, techniques, and procedures (TTP) to traverse across these modern environments faster than organizations can contain their activities. In order to combat these inefficiencies, organizations are having to also deploy numerous vendor products in an attempt to keep pace with those attackers looking to cause harm.

The necessity to utilize numerous products to provide the protection needed for today’s attacks present organizations with another level of complexity. One of the most common struggles organizations are facing is the inability to manage and correlate all of the valuable data across their operations. Each product that provides a layer of protection must be managed individually and cannot always work in concert with other layers of protection. This makes identifying and containing incidents even harder as manual intervention cannot be circumvented.

Today, organizations and their security experts need to find better ways to solve the following issues within their Security Operations Centers (SOCs).

  • How can Security Operations Centers gain greater visibility into their complex networked environments?

  • How can Security Operation Centers combat attacker’s evolving tactics, techniques and procedures (TTPs)?

  • How can multiple security products be used in conjunction with each other to provide advanced detection and remediation capabilities to an organization?

DFLabs and RSA NetWitness Solution

DFLabs’ integration with RSA NetWitness brings state of the art detection capabilities and the complete visibility necessary for organizations to battle the sophisticated attack techniques that target their operations. Combining these vital toolsets and IncMan SOAR’s ability to translate their findings into automated actions, the partnership between DFLabs and RSA will act as a force multiplier for organizations who struggle to find adequate staffing and security protections.

About RSA NetWitness

The RSA NetWitness Platform provides pervasive visibility across a modern IT infrastructure, enabling better and faster detection of security incidents. RSA NetWitness Platform takes security “beyond SIEM,” extending the traditional log-centric, compliance-focused approach to security to include state-of-the-art threat analytics, including user and entity behaviour analytics (UEBA), and visibility into cloud, network and endpoints.

RSA NetWitness Platform solves complex security problems with powerful analytic capabilities. Its modular architecture handles massive amounts of raw data, enriching it with security context at time of capture. It then applies a set of sophisticated analysis tools, including machine learning, UEBA and public as well as RSA community threat intelligence. This process correlates disparate events and alerts into discrete investigations, automatically scoring each according to the likelihood that they represent an attack or exploit.

Use Case

Let’s review a simple but effective use case in action.

A Web Application Firewall (WAF) alert is generated for traffic to a potentially compromised website. DFLabs’ IncMan SOAR platform receives the alert and begins to execute automated evidence gathering by querying NetWitness for evidence of this website being visited by anyone else in the organization. If NetWitness receives a positive hit for any additional browsing activity, IncMan will issue another query to gather the raw logs from all matching activity. While these logs are being gathered, a new ticket is created within the ticketing system and the incident is upgraded to critical.

Simultaneously, the destination IP address and the requested URL’s reputation is checked, and the end user’s information is queried through directory services and a NetWitness query is issued to gather information on any additional activity observed from the affected user account. Once this information is gathered, IncMan will execute the last two conditional statements. The first statement will look for either the IP address, URL, or detonated URL report to have a risk score of over 50. If a risk score of greater than 50 is reported, IncMan issues a containment action request to the Next-Gen firewall to block both the IP address and URL from further communication.

The last conditional statement looks for additional suspicious activity from the user account. If the user account has been involved in any additional activity, IncMan invokes another runbook to reset the user’s password and issue a new randomly generated password, tags the user’s machine for further review. Once the password has been reset and the machine is tagged for review, IncMan will issue emails to the affected user and the security team alerting them to the activity and remediation plan.


The importance of having the right tools and technologies in place to seamlessly work together to achieve full visibility and accelerated detection and response into cyberattacks is paramount into today's sophisticated attack surfaces. Together, DFLabs and RSA NetWitness are able to automatically gather, correlate and act upon findings. By utilizing RSA NetWitness’ advanced analytics and efficiently automating and orchestrating a number of relevant response actions with IncMan SOAR, the dwell time of an incident is dramatically reduced with remediation actions taking place within a matter of seconds.

If you would like to see more complex examples of RSA NetWitness and DFLabs in action, request your personalized demo of our IncMan SOAR platform today.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo