Enterprise networks are complex environments, with numerous components often under the control of teams outside the security team. During an incident, it is critical that respondents understand the network topology and have the most current network policy and device information available to them. Network documentation is often incomplete and out-of-date; security teams need a way to quickly and efficiently gather actionable network intelligence to effectively respond to a security incident.
This blog will cover some of the current challenges faced by security operations teams and how they can harness the vast amounts of network intelligence available, such as device, policy and path information, using Tufin as a case study. By integrating with Tufin Orchestration Suite, DFLab’s IncMan SOAR platform can utilize its R3 Rapid Response Runbooks to enable the collection of actionable network intelligence, along with its automation, orchestration, and measurement power to respond faster and more efficiently to security incidents.
There are three specific challenges that are common within any security operations center and analysts need to be able to find an effective and efficient way to solve them and obtain the information they need as quickly as possible.
- How can I get a current list of network devices?
- How can I get a current list of rules and policies?
- How can I determine the network path from source to destination?
The DFLabs and Tufin Solution
Tufin Orchestration Suite takes a policy-centric approach to security to provide visibility across heterogeneous and hybrid IT environments, enable end-to-end change automation for network and application connectivity and orchestrate a unified policy baseline across the next generation network. The result is that organizations can make changes in minutes, reduce the attack surface and provide continuous compliance with internal and external/industry regulations. The ultimate effect is greater business continuity, improved agility and reduced exposure to cyber security risk and non-compliance.
Tufin Orchestration Suite together with DFLabs IncMan SOAR platform provides joint customers with an automated means to gather actionable network intelligence, a task which would otherwise need to be performed manually, taking up valuable analyst time when every minute counts. This results in an overall decrease in the mean time to respond (MTTR) to a computer security incident, saving the organization both time and potential financial and reputation loss.
It provides a list of current network devices based on any number of criteria, a list of current rules and policies for any number of devices and is able to simulate network traffic from source to destination, including path and associated rules. Here is a use case in action to see exactly how!
Network traffic between a workstation and a domain controller has been identified as potentially malicious by the organization’s UBA platform. The UBA platform generated an alert which was forwarded to IncMan SOAR, causing an incident to be automatically generated. Based on the IncMan Incident Template, the following R3 Runbook was automatically assigned and executed to gather additional network intelligence.
The information gathering begins by simulating the network path between the source address and destination address of the potentially malicious network traffic. This information is gathered by two separate Enrichment actions, one which will display this information in a table format, and another which will display the same information in a graphic network path which can be exported and shared or added to reports.
As with information from any other IncMan Enrichment action, each network device on the path between the source address and the destination address is stored within an array which can be used by subsequent actions.
After the path information has been retrieved, an additional Enrichment action is used to retrieve information about each device along the path. This includes information such as device vendor, model, name and IP addresses.
Following the acquisition of the device information, two additional Enrichment actions are utilized to gather additional network intelligence. The first action will retrieve all rules for each network device along the path. Detailed information on each matching rule will be displayed for the analyst, allowing the analyst to assess why the traffic was permitted or denied, what additional traffic may be permitted from the source to the destination, and what rule changes may be appropriate. The second action will retrieve all policies for each network device along the path. Similar to the previous rule information, this information will allow the analyst to assess the configured network policies and determine what, if any, policy changes should be made to contain the potential threat.
Harnessing the power of Tufin Orchestration Suite, along with the additional orchestration, automation and response features of DFLab’s IncMan SOAR platform, organizations can elevate their incident response process, leading to faster and more effective response and reduced risk across the entire organization.
To see the integration in action, request a demo of our IncMan SOAR platform today.