Get Started with a One-to-One Personalized Demo
Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.
Today’s cyber security programs must be more resilient than ever before. With malware attacks and exploit kits becoming extremely sophisticated and easy to access, anyone with a little bit of money can cause a tremendous amount of damage.
DFLabs’ integration with Palo Alto combines the next-gen detection capabilities of WildFire’s dynamic and static malware analysis techniques with the automation power of IncMan’s R3 Rapid Response Runbooks to provide organizations with the tools necessary to fortify their security defenses from these elusive threats.
The sophistication and ease of access to today’s malware and exploit kits have made the jobs of security professionals exponentially harder. Not only are they defending their organizations with less than adequate staffing, but they are also having to contend with adversaries that no longer must be highly skilled and techniques that evade legacy detection mechanisms.
The evolution of weaponizing malware has driven the need for more advanced detection mechanisms and faster mitigation processes. Without these, organizations have little to no chance of protecting their businesses and assets from modern attacks.
The DFLabs and Palo Alto WildFire solution extends Wildfire’s high-fidelity, evasion-resistant protection to an organization’s entire security stack through automated workflows. These workflows are designed to mimic analyst behavior during the initial triaging phase of incident investigations.
By gathering evidence through enrichment actions, DFLabs IncMan SOAR can operationalize the intelligence gained from Palo Alto WildFire to make automated decisions on behalf of an organization’s security team. These automated decision points remove the need for human intervention in the early stages of incident investigation and allow for immediate containment of a threat in a matter of seconds.
Palo Alto Networks WildFire malware prevention service is the industry’s most advanced analysis and prevention engine for highly evasive zero-day exploits and malware. The service employs a unique multi-technique approach, combining dynamic and static analysis, innovative machine learning techniques, and a groundbreaking bare metal analysis environment to detect and prevent even the most evasive threats.
Palo Alto WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxing and signature-based detection and blocking of malware. WildFire extends the capabilities of Palo Alto Networks next-generation firewalls to identify and block targeted and unknown malware.
An alert is received from the Palo Alto NGFW indicating that an executable had been downloaded by one of the organization’s users. IncMan receives this alert and executes the Suspicious Application Download R3 Rapid Response Runbooks. The runbook issues commands to gather enrichment data from the organization’s Palo Alto Wildfire. The file used to download the application is sent to Wildfire to be detonated. Once detonated, IncMan issues additional enrichment actions to gather a PCAP from the file’s detonation, the detonation report, and its detonation verdict. Once this data is collected, IncMan comes to its first conditional action.
This action looks at the information gathered from WildFire. If the file is found to be malicious, the R3 Rapid Response Runbook immediately upgrades the incident’s priority to high, adds the file’s MD5 hash to the incident as an artifact, and issues a query to the organization’s SIEM for historical data on any additional users who may have interacted with the file. If the file does not have a negative detonation score, IncMan checks its hash against another threat intelligence platform to verify that the file is benign. If the second threat intelligence score is also clean the runbook will close out the incident and exit.
If the second threat intelligence service finds that the file has a negative reputation score, IncMan will follow the original path taken to begin containment actions. If the query issued against the organization’s SIEM does not indicate that any additional host had interacted with the malicious file, the R3 Rapid Response Runbook will ban the file hash from the environment, create a new Priority 1 ticket in the organization’s ticketing system, and create a new task for the affected machine to be triaged for possible contamination before exiting. If it is found that an additional machine may be affected by this file, the machine is added to the incident as a new artifact and the priority is upgraded to critical and the security team is notified of the incident.
When it comes to combating today’s malware attacks organizations cannot afford to be caught on their heels. By deploying advanced detection and prevention technologies along with automation strategies security teams can overcome staffing shortages and be assured that these sophisticated attacks cannot elude their detections.
The DFLabs and Palo Alto solution provides organizations with the reinforcements necessary to ensure that their security program, and the teams that support it, can quickly and efficiently stop these threats in its tracks and prevent their organizations from becoming its next victim.
DFLabs / 31 Jan 2019
DFLabs / 29 Nov 2018
DFLabs / 13 Jun 2018
Learn how a security operations team can detect, analyze and respond to evasive, advanced malware by utilizing McAfee ATD with DFLabs IncMan SOAR platform
Heather Hixon / 21 May 2019
Learn how the integration of DFLabs and Cylance prevents advanced malware attacks using AI driven technology before any damage of an organization.
See IncMan SOAR in Action.