Improve Remediation Process and Empower Security Professionals with DFLabs and Cybereason

Back to all articles

remediation process

Providing context into the entire attack lifecycle, coupled with the ability to take automated action to remediate an incident through utilizing DFLabs’ integration with Cybereason, gives organizations a leg up on a would-be attacker.

Through the use of Cybereason’s industry-leading Endpoint Detection and Response (EDR) platform, network defenders can quickly identify potential endpoint incidents and perform a complete root cause analysis to find the source of malicious activity. Armed with this context, automated actions can be taken instantly by DFLabs’ IncMan SOAR platform to contain a threat before it has a chance to spread laterally through an organization’s network.

The Problem

One of the biggest problems, besides qualified staffing and alert fatigue, that Security Operation Centers (SOCs) experience is a lack of context behind alerts being received. More and more organizations are subscribing to threat intelligence feeds and purchasing the latest product lines only to be overwhelmed with information without context or a clear path towards remediation.

This lack of context and remediation has led to dwell times measuring in hundreds of days, which is allowing attackers more time to remain undetected and cause significant damage. Without context and immediate action to remediate the activity, an avoidable incident can escalate to a full-blown breach.

So, how can organizations and their SOCs overcome these commonly asked questions regarding the problems they are experiencing?

  • How can my organization decrease dwell times numbering in hundreds of days?

  • How can our SOC gain greater visibility into an attack lifecycle?

  • How can we gain the context necessary to streamline threat detection and remediation?

DFLabs and Cybereason Solution

DFLabs’ integration with Cybereason enhances the identification and remediation of incidents by combining context-rich visibility into an attack with complete automation and orchestration capabilities in which to utilize all products within an organization’s security stack. This combination also allows security and IT teams to work in concert with each other, by providing the context necessary to convey an issue, regardless of the level of security knowledge, to enable them to make joint decisions quickly to reduce the impact of an incident.

Finally, this integration also has the added benefit of allowing security teams to present this risk data to executive management in a clear and effective way.

About Cybereason

The Cybereason real-time attack detection and response platform brings military-grade defense to enterprises, providing automated detection, complete situational awareness and a deep understanding of attacker activities.

Cybereason automatically detects malicious activity and presents it in an intuitive way, provides end-to-end context of an attack campaign and deploys easily with minimal organizational impact. Organizations are able to deploy and can start detecting within 24-48 hours.

With continuous 24/7 monitoring, Cybereason provides complete situational awareness across an entire IT environment, allowing organizations respond to incidents quickly and efficiently.

Use Case

Now let's run through a simple use case of the integration in action.

An alert is received from Cybereason’s Detection and Response Platform indicating that a suspicious executable (.exe) has been observed on several hosts in the Payroll Department. DFLabs’ IncMan SOAR platform receives the alert and begins to retrieve detonation information for the suspicious program.

Once this information has been collected, IncMan queries Cybereason for the items reputation score. Based on the findings of the detonation and reputation checks, IncMan will come to its first decision point. If the detonation verdict finds the program to be malicious, IncMan will automatically block the application across the network and begin querying the organization’s SIEM for all hosts who received the .exe file.

Upon identifying the affected machines, IncMan will update the current incident with these additional hosts and create an isolation rule in Cybereason to isolate them from the network. Once the hosts have been isolated, IncMan will create a new incident ticket in the organization’s ticketing system to alert the Operations Team of the potential incident and isolation of hosts.



Providing an end-to-end view of a cyber attack lifecycle is key in combating and responding to any type of security incident. Full network visibility and containment capabilities enable an organization to effectively utilize their entire security stack. This provides greater context to event data and allows for better prioritization and remediation of incidents. Automating response efforts with DFLabs’ Integration with Cybereason creates a reduction in dwell times by accessing data on an entire attack lifecycle to determine the source of an infection.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo