Get Started with a One-to-One Personalized Demo
Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.
Sophisticated attack techniques must be met with sophisticated solutions. In order for organizations to beat their attackers at their own game they must be able to bring the fight to them, at all layers of an attack surface. With traditional manual intervention no longer being an effective means of response, security teams must look beyond their internal boundaries for assistance.
In this blog post we will take a look at how a number of common problems can be addressed with the seamless integration between DFLabs’ innovative Security Orchestration, Automation and Response (SOAR) solution, IncMan SOAR, and Fortinet’s security suite, as well as go on to demonstrate this with a simple use case.
Phishing attacks continue to be one of the most successful intrusion tactics used against organizations today. The techniques used in these attacks produce a wide range of difficulties in their ability to be detected and responded to.
Manual detection and response efforts are no longer an effective tactic for security professionals to use to protect their organizations. Even if staffing concerns were not plaguing security operations centers around the world, there would still not be enough manpower to combat the level of threat this attack vector provides. Without the use of a multi-layered defence strategy, organizations will eventually find themselves falling victim to these sophisticated modern day attacks.
Typical questions and concerns that security operations are facing today include, but are not limited to:
How can my organization gain the upper hand in its fight against sophisticated phishing attacks?
How can our security professionals augment their manual detection and response efforts?
How can we establish a multi-layered defence strategy to protect our business assets against sophisticated threats?
The DFLabs and Fortinet solution gives organizations the upper hand against their adversaries by providing advanced detection mechanisms at every layer of their security defences through Fortinet’s cutting-edge security suite.
Coupled with immediate response assistance of DFLabs’ IncMan SOAR platform, security teams can successfully augment their manual detection and response procedures though the pure power of automation. This automation power paired with rapid detection capabilities provides the multi-layered defence strategy organizations need to keep their businesses and assets safe from today’s sophisticated threats.
Fortinet delivers high-performance, integration security solutions for global enterprise, mid-size, and small businesses. The Fortinet Security Fabric delivers a unified approach that is broad, integrated, and automated. Reduce and manage the attack surface through integrated broad visibility, stop advanced threats through integrated AI-driven breach prevention, and reduce complexity through automated operations and orchestration.
Here is a little more about each specific solution and what is does.
FortiAnalyzer provides deep insights into advanced threats through single-pane orchestration, automation and response for an organization’s entire attack surface to reduce risks and improve their overall security. Integrated with Fortinet’s Security Fabric, FortiAnalyzer simplifies the complexity of analyzing and monitoring new and emerging technologies that have expanded the attack surface, and delivers end-to-end visibility, helping identify and eliminate threats.
FortiGate Next-Generation Firewalls deliver next generation firewall capabilities to every size of organization. Protect against cyber threats with security processor powered high performance, security efficacy and deep visibility.
FortiMail is a top-rated secure email gateway that stops volume-based and targeted cyber threats to help secure the dynamic enterprise attack surface, prevent the loss of sensitive data and help maintain compliance with regulations. High performance physical and virtual appliances deploy on-site or in the public cloud to serve any size organization — from small businesses to carriers, service providers, and large enterprises.
FortiSIEM was developed as an architecture that enables unified data collection and analytics from diverse information sources including logs, performance metrics, SNMP Traps, security alerts and configuration changes. FortiSIEM essentially takes the analytics traditionally monitored in separate silos from - SOC and NOC - and brings that data together for a more holistic view of the security and availability of the business. Every piece of information is converted into an event which is first parsed and then fed into an event-based analytics engine for monitoring real-time searches, rules, dashboards and ad-hoc queries.
FortiWeb is a web application firewall (WAF) that protects hosted web applications from attacks that target known and unknown exploits. Using AI-enhanced multi-layer and correlated detection methods, FortiWeb defends applications from known vulnerabilities and from zero-day threats.
Now let’s look at a use case in action, utilizing a number of these Fortinet tools within IncMan SOAR.
An alert is received indicating that a user may have clicked on a malicious link from an email. Once received, IncMan SOAR automatically executes the suspicious email activity runbook which begins to gather email domain information from FortiMail and reputation data from two separate reputation services for evaluation.
The reputation information is then fed into a conditional action which looks to see if the observed domain has a reported reputation score of 50 or greater from either service. If the domain is found to not have a malicious reputation score, IncMan’s R3 Rapid Response Runbook will exit without any further action taken. However, if the reputation score is found to be malicious from one or both of the reputation services, the suspicious email activity runbook will proceed to take containment actions and gather more evidence to determine if the incident needs to be escalated to a high priority incident.
The R3 Rapid Response Runbook issues a command to the FortiGate NGFW to create a new blocked address group and to create an inline protection policy in the FortiWeb console. Simultaneously, queries are sent to FortiAnalyzer to gather additional events involving the affected host and for current network traffic originating from the host, and to FortiSIEM to gather any additional hosts which may have communicated with the malicious domain within the last 30 days. Once data is pulled from both FortiAnalyzer and FortiSIEM, the results are evaluated against another conditional action to see if any additional events were observed.
If the FortiAnalyzer has observed additional suspicious activity which has originated from the affected host, the additional event IDs are added to IncMan as incident artifacts and a new incident is created in the FortiAnalyzer for the responsible team to review. If there were no additional events, a ticket is opened in the organization’s ticketing system to have the affected host’s network traffic reviewed and the host’s behaviour monitored.
If additional activity from FortiSIEM has been observed for additional hosts and the malicious domain, the additional hosts are added to IncMan as incident artifacts, the incident is upgraded to high priority, and a new ticket is created in the organization’s ticketing system for additional follow-up from the responsible team.
Together, DFLabs and Fortinet provide advanced detection capabilities coupled with pure automation power to assist security teams in their constant battle to keep their organizations safe against sophisticated threats. It is now vital for organizations to have a multi-layered defence strategy to assist them in protecting their businesses and assets, and the support provided by this integration will level the playing field for security professionals and provide them with the tools necessary to combat their adversaries.
DFLabs / 26 Apr 2018
DFLabs / 24 Jul 2018
Discover the three core pillars which define what a SOAR solution is: Security Orchestration, Automation and Measurement. Learn more
DFLabs / 9 Oct 2018
The terms security automation and security orchestration are often used almost interchangeably. The aim of this blog is to discuss the core differences by explaining what these terms mean exactly, what their functions are and how they can be used within an IT context.
See IncMan SOAR in Action.