IncMan for SOC

DFLabs IncMan for SOC - Security Operations and Incident Response Platform

DFLabs IncMan for SOC is a purpose-built platform designed to manage and orchestrate Security Operations.

DFLabs IncMan’s library of customizable runbooks orchestrate and automate the response to threat and incident scenarios such as malware, data loss or regulatory breach notification. The solution  supports incident responders in assessing, investigating and hunting for threats, and to gather, maintain and transfer knowledge within the SOC team.

DFLabs IncMan acts as force multiplier – it is possible to manage more incidents in less time with fewer security analysts, and to do so in a repeatable, measurable and enforceable manner.

R3 Rapid Response Runbooks

R3 Rapid Response Runbook
R3 Rapid Response Runbook

At the the heart of IncMan is the R3 Rapid Response Runbook engine. R3 Runbooks are created using a visual editor and support granular, stateful and conditional workflows to orchestrate and automate incident response activities such as incident triage, stakeholder notification, data and context enrichment and threat containment. R3 Runbooks are enhanced by capabilities to empower incident responders in assessing, investigating and hunting for threats, and to gather, maintain and transfer knowledge between IR and SOC teams.

  • Customizable, linear and conditional runbooks
    • Over 100 customizable runbooks and playbooks for individual incident types or threats and regulatory frameworks.
    • Complex, stateful and conditional logical decision making to pursue a variety of alternative responses.
    • 99+ out of the box automation actions
    • Graphical visual editor
  • Full Incident Lifecycle Automation
    • Triage and Notification
    • Context Enrichment
    • Hunting & Investigating
    • Threat Containment
  • Dual-Mode actions
    • Combine manual, semi-automated and automated actions.

Augmenting Security Analysts using Machine Learning

DFLabs patent-pending Automated Responder Knowledge (DF-ARK) module applies machine learning to historical responses to threats, and recommends relevant runbooks and paths of action to manage and mitigate them. DF-ARK applies a supervised case-based reasoning machine learning algorithm.

  1. ARK constructs a model of an organizations threat landscape based on known and historical incidents
  2. ARK scores and evaluates any incident based on unique and shared indicators and attributes and their relevance to historical incidents
  3. The ARK algorithm uses this model to suggest playbooks for similar and related threats
  4. Threats known to the model are considered to have a greater relevance, are scored more reliably, and are assigned a greater urgency and higher priority.

ARK requires sufficient training data – it begins with no knowledge, but learns from the experience and actions of your security team, becoming more effective over time.

 

DFLabs for SOC’s at a Glance

The table below highlights further benefits that IncMan offers to Security Operations Centers:

Core SOC Benefits IncMan’s Solution
Aggregation and correlation of Security and Incident Data
  • Support for hundreds of 3rd party security technologies via Syslog, CEF and Email parsing
  • 35+ certified bidirectional connectors are included for leading 3rd party security technologies such as  ActiveDirectory, Palo Alto, Cisco ThreatGrid, CrowdStrike, and Carbon Black, with many more continuously being added
  • Database querying for MySQL, MSSQL, PostGreSQL, Microsoft Access and Oracle
  • Custom Script execution
  • Bidirectional SOAP API
Customizable linear playbooks and conditional runbooks
  • Security analysts can create a library of dedicated, customizable and granular runbooks using a graphical editor for individual threat, incident, or asset types.
  • IncMan comes with 100+ customizable playbooks, runbooks and automation actions out of the box.
  • Automatic correlation and re-application of playbooks across tenants in multi-user environments.
Integrated Knowledgebase module to disseminate, share and transfer knowledge from experienced to novice analysts and within the team.
  • IncMan has an integrated Knowledgebase Module to document playbooks, threat assessments, threat intelligence, situational awareness and best practices.
  • Segregated and dedicated Knowledgebases can be maintained for individual business units or asset groups.
  • Integrated Knowledgebase library includes GDPR, ISO, NIST and other regulatory frameworks.
Repeatable, enforceable, measurable & effective incident response workflows.
  • Playbooks support full incident phase management to measure every individual phase of the IR workflow.
  • Mandatory steps can be enforced, ensuring that incident response is conducted in a forensically sound, legally and policy compliant manner.
Customizable dashboards and widgets to gain immediate situational awareness of operations and threats.
  • Support for a huge variety of key performance indicators and metrics
  • Visualize data with Charts, Graphs, Tables and Meters
Generate operational performance reports with an integrated reporting engine.

 

  • Generate reports for:
    • Operational Performance
    • Incidents
    • Threats
    • Regulatory compliance
  • Over 140 customizable KPI and Report templates.
Powerful case management
  • Integrated forensics capabilities
  • Forensics and Response System Analysis and Evidence Management
  • Collaborate with diverse stakeholders
  • Secure collaborative platform for communications, data sharing and reporting
Threat and Incident data visualization and analysis
  • Analysis and visualization of IoC’s and Incident Observables
  • Automated Threat Intelligence Fusion
  • Support for STIX, TAXII, OpenIoC, MISP and many open source and commercial TI feeds

Deployment

IncMan is deployed as a Virtual Machine or dedicated HW appliance

  • High Availability and Load Balancing
  • Multitenant Architecture
  • Scalable platform, can be integrated with NAS and SAN

Integration partners

IncMan integrates with the leading 3rd party cyber security technologies for context enrichment and automation

Want to see IncMan in action?

DFlabs is the pioneer in Security Automation & Orchestration technology, leveraging your existing security products to dramatically reduce the response and remediation gap caused by limited resources and the increasing volume of threats and incidents