The Core Pillars of IncMan SOAR and Our Vision For The Future
As the technology used in cyber security becomes more advanced with each passing day, we at DFLabs make sure to respond to the evolving needs of clients by providing a contemporary cyber security solution in the shape of IncMan SOAR.
Throughout the years, IncMan SOAR has been re-invented and is continuously “under construction,” because we believe that innovation in the cyber security world never stops. But even though the process of evolving is constant, we never forget the cornerstone and fundamental core pillars of DFLabs. Our mission is to always continue innovating in order to stay one step ahead of sophisticated cyber attacks.
IncMan SOAR has grown leaps and bounds since its inception, but the best is yet to come. In an internal interview with Dario Forte, DFLabs’ founder, and CEO, we discussed the main goals for IncMan SOAR for the foreseeable future, what makes us unique, and our vision for the next generation of SOAR in the industry.
What are the core pillars of DFLabs’ IncMan?
In order to understand what the main core pillars of IncMan SOAR are, first, we need to point out that IncMan SOAR should be considered as a platform, rather than a tool. IncMan SOAR is a solution compiled of complex cornerstones, each of which plays an integral part in achieving the main and ultimate goal – providing maximum cyber security to our clients.
As you may very well be aware of, SOAR constitutes a variety of different functions revolving around automation, orchestration, and advanced reporting. When it comes to IncMan SOAR, the fundamental core pillars that our solution is built upon are the following:
- Open Integration Framework
- Case Management
- Multitenancy Architecture
The reason why IncMan SOAR relies on a large number of core pillars, has to do with the fact that SOAR as a platform acts as the connecting fiber within the SOC. Also, IncMan SOAR tackles other types of security issues, such as cyber fraud, physical security, and safety, industrial control, etc. In that regard, SOAR must branch out in different ways in order to tackle all of these problems competently.
Every client and MSSP expects a SOAR solution to include automation and orchestration. So, those two pillars can be labeled as fundamental. Furthermore, it is important to note that automation and orchestration as features are intertwined. Meaning that there is no automation without orchestration and vice versa.
Another major component that is a vital aspect of IncMan SOAR is the Open Integration Framework. This is another pillar that is closely linked to automation and orchestration, and is a very important differentiator for DFLabs. We strongly believe that open integration is a key aspect of SOAR. The math is quite simple – the more third party security tools a platform is able to integrate with, the more open the integration architecture is, the more the client can take value from a single investment in more than one department.
Keeping that in mind, DFLabs has always strived to position IncMan SOAR as one of the solutions with the most open integration architecture in the market.
Is SOAR becoming an integral part of modern cyber security?
In short, yes! With the way that cyber security is evolving, and the problems that SOCs and SecOps are facing on a daily basis, we foresee that SOAR becomes not only a solution used by the elite but a must-have technology that becomes a de-facto standard.
Even if clients were to delegate their cyber security operations to MSSPs, without a SOAR solution implemented into their system, they would have the same issues as their clients. And some of the most common problems in the cyber security world are:
- Lack of analysts: The number of threats and alerts grows exponentially, leaving analysts and entire teams unable to cope and properly address each of every one of them.
- Lack of documented repeatable processes: Documentation and response workflow need to be up to the challenge when facing a myriad of potential cyber attacks each and every day. Without SOAR, analysts just won’t have the time to manually document and follow up on each incident, as a new one is creating in the meantime.
- Time spent on repetitive tasks: Analysts become demotivated with time as they face repetitive, low-risk tasks on a daily basis that mostly revolve around documentation.
Bottom line is, with the number of skilled analysts continuously declining, a layer of automation and orchestration implemented in cyber security operations is a definite must. In this regard, SOAR acts as connective tissue.
By relying on automation, SOAR automates the tasks that can be automated, documents the entire process from incident detection to incident resolution, and frees up a significant amount of time by dealing with lower-risk tasks that would otherwise be handled by analysts. This allows analysts to have more time to focus on higher-stake assignments and eventually increase their satisfaction in doing their jobs.
How has IncMan SOAR changed over the years?
It all started in 2012 when DFLabs published its first scientific paper and started one of the first case management implementations in cyber security. And even though DFLabs kicked off with data case management, we evolved quickly, with our first automated implementation taking place in 2013.
DFLabs was founded by Dario Forte, its current CEO, whose vision of the company and IncMan SOAR remains as ambitious as ever; “Over the years, IncMan SOAR has been continuously changing and evolving as a protagonist in the cyber security industry. We’ve always been considered as an independent pioneer in cyber security, and we still strongly believe that innovation is the cornerstone of success in this market,’’ said Dario Forte in an internal interview for DFLabs.
DFLabs saw automation as the next generation of cyber security technology, and we built our IncMan SOAR with the goal of becoming the best SOAR in the industry. What started off as technology revolving around case management has grown into an advanced, sophisticated, and cutting-edge SOAR solution that relies on machine learning and still grows and continues to evolve.
And, the fact that innovation is one of the cornerstones of our company is confirmed by our three patents awarded in the U.S. for our groundbreaking contribution in SOAR technology. So, it’s obvious that innovation is really important to us, and we’ll continue pushing IncMan SOAR to new heights and crafting its remarkable features to near excellence.
How does IncMan help SOCs and MSSPs?
SOC teams are in desperate need of automation, as with the growing number of sophisticated alerts, they are facing many challenges that can easily be resolved by applying automation. One of the biggest of which are:
- Reducing the reaction time to cyber incidents
- Reducing the number of false positives
- Automating repetitive tasks
- Lack of skilled analysts
Special emphasis needs to be placed on false positives, also known as mislabelled threats, who are very big in number and take up a lot of the analysts’ time to check. With SOAR, intercepting false positives is done automatically, and that is why SOAR is such a desirable solution for SOCs and MSSPs. In this regard, IncMan SOAR helps SOCs and MSSPs in the following ways:
- Automation drastically increases the efficiency of analysts
- MSSPs will provide more value to their customers by implementing SOAR
- Faster detection and resolution of false positives
Furthermore, IncMan SOAR includes capabilities that are unique to the market, such as the triage. Keeping in mind that not every alert deserves to be processed as a security incident, IncMan SOAR invented the triage, which is only unique to DFLabs. The triage allows the possibility of pre-filtering security events without opening an incident.
This capability largely improves the incident-handling process. Traditionally, every alert generates an incident which must be investigated manually by analysts. However, the triage is able to harness the full automation power of IncMan SOAR’s R3 Runbooks to enrich event information and discard some alerts as false positives.
This allows the analyst to quickly make a decision regarding a potential threat and make an informative decision regarding the severity of a potential incident.
Is it easy to integrate SOAR into your current cyber security system?
It depends on the SOAR vendor. Not all SOAR vendors support an Open Integration Framework, and some offer quite complicated ways to integrate. And this is for a couple of reasons:
- They lack the capability to build integrations
- They have difficult licensing models
On the other hand, DFLabs makes lives easier for its clients in this perspective, as IncMan SOAR’s OIF allows users to quickly and seamlessly install and integrate the software. Not only does IncMan SOAR allow customers to integrate with well over 200 of the most popular cyber security tools, but DFLabs also allows customers to build their own integrations with very little coding skills required.
With IncMan SOAR, it takes an average of three working days to build a full integration.
What has changed in IncMan version 5.0?
Apart from enhancing its features revolving around enrichment, triage, and boosting its R3 Runbooks, the IncMan version 5.0 has been upgraded with the following key features in mind:
- Enhanced user interface
- Increased automation speed
- Advanced machine learning algorithm
- Improved search functionality
- New disaster-recovery system
- Customizable dashboards
- Optimized Runbooks section
Making the user interface smooth and user friendly is one of the main goals of DFLabs. DFLabs has particularly directed its focus on building a fully revamped user interface in order to provide its clients with the best possible user experience.
The new IncMan 5.0 is easier to use than ever before, boosted with new features and new integrations. The time to implement SOAR is also optimized, as well as its overall performance speed. IncMan 5.0 also has a new Runbook engine with an improved performance of over 60% compared to the previous version.
Are organizations ready to completely rely on automation?
In short, yes. Compared to a few years ago, more and more companies are ready to implement automation in their cyber security operations, and the trust in automation continues to grow exponentially.
The great thing about automation in SOAR is that it’s completely adjustable. Clients can choose to incorporate full or semi-automation in their security operations. Basically, the user can decide which part of the security processes should be automated and which parts they want to resolve manually.
Still, there are still some organizations that have not yet matured enough in order to grasp the necessity of automation. However, Dario Forte predicts that this gap will be closing in the next 18 months, “Organizations are more ready than before to adopt automation, and they will be even keener on implementing automation in the next 18 months.”
When it comes to the degree of automation used in SOCs, it is still used with caution, particularly for high-risk tasks. Clients are more reliant on automation when it comes to repetitive, routine tasks. But even if SOCs use automation only for routine, mundane tasks, which make up around 65-70% of all assignments, they would still automate a big part of their security operations, and analysts would spend more time focusing on more complex tasks. In this regard, SOAR is expected to grow and clients will eventually learn to rely on SOAR even for high-risk tasks.
It is important to note that the scope of automation continues to widen, and now automation is used not only in cyber security operations but also in non-cyber security operations. For example, banks are using SOAR to automate and properly document bank transactions.
What are the plans for the future of IncMan SOAR?
As we mentioned earlier, DFLabs strives to innovate. IncMan SOAR will continue to evolve, introducing new features, and enhance and optimize its existing capabilities. According to CEO Dario Forte, the future of IncMan SOAR will revolve around:
- Enhancing data scalability
- Improving integration capabilities
- Optimizing IncMan SOAR for non-cyber use cases
In the next 3-5 years, Dario predicts that industry 4.0 will expand and that there will be more use cases related to industrial controls. And this is exactly what IncMan SOAR will be focused on in the next 24-36 months.
IncMan version 5.1 is soon going to be released, and by the end of the year, we will introduce more relevant features related to the current version which will mainly focus on building upon the core features of IncMan SOAR.
Open integration will continue to be a key aspect of IncMan SOAR for the future, and automation and orchestration will be improved in order to align with the growing needs of industrial control.