Get Started with a One-to-One Personalized Demo
Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.
Cloud computing attacks raise another important aspect of the privacy and security of the data stored in the cloud. In the past years, we witnessed many industry giants, including LinkedIn, Apple and Dropbox having their cloud data exposed. The common reasons for failing to protect cloud assets turned out to be unpatched security vulnerabilities, insider threats or human error. All of which could have been avoided.
An increasing number of organizations are moving either all or part of their operations to the cloud. Cloud computing has proven to offer better efficiency, cost reduction, and greater scalability options than legacy on-prem networks. High-level security concerns such as unauthorized data exposure and leaks, weak access controls, susceptibility to attacks, and availability disruptions affect traditional IT and cloud systems alike.
However, as a greater number of organizations migrate to the cloud, the industry is experiencing even higher rates of compromise due to inefficient implementation of security controls and missed incident indicators.
The most recent security breaches involving cloud computing environments were due to insufficient security controls involving operations that had been migrated to the cloud. As with traditional IT networks, implementing basic security controls such as least privilege for user account management would prevent most if not all of these recent security breaches. However, if implementing these controls were easy, every organization would have them in place. Situations such as low staffing and lack of funds continue to be barriers that a lot of organizations are facing.
As organizations begin to move their operations to the cloud, here are some of the fundamental elements that are being overlooked or not seriously considered:
How can organizations more quickly and efficiently secure their hybrid cloud environments?
How can organizations automatically implement and enforce their best practice policies and procedures across on-prem and cloud environments?
How can organizations ensure that their assets remain secure regardless of where they reside?
The integration between DFLabs IncMan SOAR and VMWare vSphere aims to solve this issue. A combination of VMWare’s expertise in cloud computing and DFLabs pure automation power will enforce best practice controls and ensure that security incidents are handled quickly and efficiently.
The DFLabs and VMWare solution strengthens an organization’s cloud security program by utilizing the power of automation to assist security teams in enforcing best practice policies and procedures. Through automation, security teams can create runbooks that will automatically gather incident evidence, evaluate the evidence, and make decisions on how to handle an event without needing to occupy an analyst’s time.
These automated runbooks allow analysts to orchestrate actions across their environment regardless of where it may reside and empowers security teams with the ability to incorporate their network and security tools together to accomplish their investigational and remediation tasks. By automating these tasks, security teams are provided with a force multiplier to help aid in keeping their assets safe.
Accelerate hybrid cloud protection;
Utilize automated runbooks to handle security events that attempt to violate best practice policies and procedures;
Enable security boundaries regardless where the network resides.
VMware vSphere is an industry-leading virtualization and cloud platform which provides an efficient and secure platform for hybrid clouds. Here is a list of some of the main characteristics of vSphere that emphasizes the power of this universal application platform:
comprehensive built-in security that starts at the core, via an operationally simple policy-driven model;
a seamless hybrid cloud experience with easy visibility, migration and management of workloads between on-premises and public cloud;
supports both existing and next-gen workloads through simple and efficient management at scale;
supports new workloads and leveraging hardware innovations for enhanced performance;
elevates the customer experience to an entirely new level.
IncMan SOAR receives an alert indicating that a privileged account has disabled a host’s logging. Incident artifacts such as source and destination IP addresses and usernames are parsed out and used to query VMWare vSphere for a current list of virtual machines. If the IP or hostname belongs to a virtual machine, the R3 Rapid Response Runbook will issue an additional query to both vSphere and the organization’s SIEM to gather details on any previous alerts which involved the affected host. A proprietary script is then executed to determine whether the affected host has a change management ticket open which may validate the observed behavior.
If the affected host was observed in any additional security events and does not have an active change management request open, the priority will automatically be adjusted, and the R3 Rapid Response Runbook will continue to gather enrichment data surrounding the system and its user.
This data is then evaluated against a conditional statement that looks for additional events involving the suspected user account. A query is issued to gather user activity for a 30-day period. If the user account has generated an additional security alert a new ticket is created in the organization’s ticketing system and the R3 Rapid Response Runbook is paused to allow an analyst to review the evidence gathered.
Once reviewed, the analyst or security professional will have the option to close the incident out as false positive, or issue containment actions against the host and/or its user. If containment actions are executed, vSphere will create a new snapshot of the machine, the endpoint detection system will tag the machine for manual follow-up, and the user’s account will be disabled.
However, if the security professional or analyst indicates that the user account does not appear to be compromised but a follow-up inspection of the host is required, they can decline the first set of containment actions against the host and its user and issue a request to gather a snapshot of the machine and tag it through the EDR solution for further follow-up.
Revert to Snapshot
As the cloud threat landscape evolves, IncMan’s integration with VMWare vSphere will assist organizations with combating attacks that can be avoided. Combining the VMWare’s expertise in cloud computing and the power of DFLabs IncMan SOAR solution will ensure that cloud security incidents be tackled rapidly and successfully.
DFLabs / 7 Sep 2017
DFLabs / 30 Oct 2018
Knowledge transfer is such an important segment of cybersecurity, it is strange how it’s still not a core part of SOC operations. Learn what it is, why it is needed and how it is a crucial part of our incident response infrastructure.
Heather Hixon / 18 Jul 2019
See IncMan SOAR in Action.