Respond to Web-based Attacks Automatically with DFLabs and Symantec Secure Web Gateway

Back to all articles

web-based attacks

As web-based attacks continue to grow in popularity, the sophistication needed in detection mechanisms have been forced to evolve to keep up with the ever-changing threat landscape. Security professionals can no longer depend on signature-based technologies and manual intervention to help aid them in the defense of their business assets.

The integration between DFLabs and Symantec Secure Web Gateway provides the assistance these security professionals need to stay ahead of their adversaries. Through the use of Symantec Secure Web Gateway’s real-time web filtering, risk score analysis, and deep content inspection, investigators are presented with the incident details they need to quickly triage an event, and when coupled with the automation power of DFLabs’ IncMan SOAR solution, the need for manual intervention is replaced with automatic prioritization and containment capabilities.

The Problem

Web-based attacks continue to be the most common delivery mechanism used by today’s adversaries. As more organizations move their businesses to the cloud, the chance of their assets falling victim to these sophisticated attacks are greater than ever. The most common cause of the latest security breaches is due to incomplete cloud adoption strategies which have left users and business applications wide-open on the web and vulnerable to attack.

These attacks are made more successful due to lack of qualified professionals to quickly respond to a suspected incident. Low staffing concerns along with increased sophistication in attack techniques and incomplete infrastructure deployments have created a perfect environment for attackers to unleash their malicious intentions.

Within today’s SecOps and IT teams, these key questions should be asked and addressed:

  • How can we ensure our users and applications are safe on the web?

  • How can we confidently adopt cloud-based technologies without becoming another victim of web-based attacks?

  • How can we overcome low staffing concerns to prevent sophisticated attack techniques from becoming successful?

The DFLabs and Symantec Secure Web Gateway Solution

The DFLabs and Symantec Secure Web Gateway Solution combines Symantec’s industry-leading Web protection suite with the world-class automation and orchestration power of DFLabs’ IncMan SOAR solution to empower security professionals to take the upper hand against their adversaries. By utilizing evidence-rich data provided by Symantec’s advanced Web security products, IncMan SOAR can make automated decisions on behalf of an investigator in a matter of seconds compared to the potential hours it may take to identify a potential threat.

Armed with this data, IncMan SOAR evaluates its findings through sets of conditional statements used to determine what actions need to be taken on a suspected incident. Based on the findings of these conditional statements, additional historical data is pulled from Symantec Secure Web Gateway as well as other security products such as an organization’s SIEM or endpoint detection system and is used to take either automated containment actions or to create security notifications for an organization’s security team to follow-up on manually depending on their current processes and procedures.

By extending Symantec’s advanced web protection to aide additional products in an organization’s security stack, incident responders and network defenders are capable of being the force multiplier necessary to combat today’s sophisticated threats.

About Symantec Secure Web Gateway

The Advanced Secure Gateway combines the functionality of Symantec’s industry-leading Secure Web Gateway, ProxySG, with the intelligence of the Symantec Content Analysis to offer a single, powerful web security solution that delivers world-class threat protection. The Advanced Secure Gateway is a scalable proxy designed to secure web communications and accelerate business applications. The Gateway’s unique proxy architecture allows it to effectively monitor, control and secure traffic to ensure a safe web (cloud) experience.

Use Case

Now let’s look at a simple use case in action.

DFLabs’ IncMan SOAR platform receives an alert for potentially malicious web browsing activity. Its R3 Rapid Response Runbook for Suspicious Web Activity automatically kicks off and begins to gather incident data regarding the suspicious web domain. The R3 Runbook checks the domain’s reputation score, gathers domain information, and pulls system information from the internal host who visited the suspicious site.

Armed with this information, IncMan’s Runbook comes to its first conditional statement. This condition looks at the suspected domain’s reputation score to see if it is ranked higher than 50. If it is ranked at 50 or higher, the R3 Runbook begins to gather historical data to determine if the incident is part of a more wide-spread event. If it is found to score lower than 50, IncMan will issue another domain reputation check through an additional reputation service to verify its reputation. If the second check also finds it to be non-malicious, the R3 Rapid Response Runbook will exit without taking any further action.


However, if the second check finds its reputation to be malicious, IncMan will begin to issue the same actions taken if the original score had been confirmed as malicious by beginning to gather historical data to determine the extent of the original event. The R3 Runbook simultaneously queries Symantec Secure Web Gateway for additional activity from internal hosts involving the suspicious domain as well as active sessions on the original victim machine and will issue a containment action to the organization’s firewall to block all activity to and from the domain.

Once Symantec Secure Web Gateway has been queried for this information, IncMan will split off into two separate paths.The first path will issue another conditional statement looking to see if any other internal hosts had been in contact with the malicious domain. The second path will begin to gather more information about the original affected host by gathering running processes from the endpoint detection system and querying the organization’s SIEM for additional security events involving the host.

If additional hosts had been observed in communication with the malicious domain or if the affected host had been observed in additional security events, The R3 Rapid Response Runbook will add the additional hosts and/or events to the incident as an incident artifact, query the SIEM for additional events involving the other suspected hosts, upgrade the incident priority to high, and create a new incident ticket within the organization’s ticketing system to allow the level II analyst to review all the evidence and make a determination on how to respond.


Sophisticated web-based attacks still plague some of the organizations’ most critical assets. Even if the initial infection vector is not a web-based attack, additional payload downloads, C2, and data exfiltration often take place over common web protocols. Comprehensive protection and control over web traffic through layered defenses is key for ensuring effective and efficient responses to these continual incoming threats. The integration between DFLabs IncMan SOAR and Symantec Secure Web Gateway provides this level of protection and complete control by utilizing the power of automation and orchestration to extend these layers of defense to an organization’s entire environment and present security staff with the assistance they need to stay ahead of their adversaries.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo