Sharing Critical Security Information Using DFLabs SOAR and McAfee OpenDXL

In security, information is power. Having actionable information available at the touch of a button can be the difference between stopping a threat in its tracks and becoming the victim of the next big breach. However, the many disparate security products deployed in most organizations make information sharing and integration difficult, if not impossible.

Lack of information sharing and integrations between security products leads to a time consuming and disjointed response to a security incident; an environment ripe for mistakes to be made.

Information sharing and security product integration and orchestration have always been at the core of the many values provided by DFLabs. By designing a solution that is OpenDXL compatible, DFLabs has provided joint DFLabs and McAfee customers with yet another way to streamline their security processes.

DFLabs IncMan SOAR and McAfee OpenDXL solve these specific challenges:
  • How can I share security information between my security products?
  • How can I quickly integrate my security products without the need for time-consuming custom integrations?

McAfee’s OpenDXL allows compatible security applications to seamlessly share security information without the need for complicated custom integrations. DFLabs IncMan OpenDXL implementation is now certified as McAfee compatible. All integrations between DFLabs IncMan platform and McAfee, including ePO, ATD and TIE, have been enhanced to include OpenDXL, significantly reducing the complexity gathering actionable enrichment information from these solutions.

OpenDXL lets developers join an adaptive system of interconnected services that communicate and share information to make real-time accurate security decisions. OpenDXL leverages the Data Exchange Layer (DXL), which many vendors and enterprises already utilize, and delivers a simple, open path for integrating security technologies regardless of vendor.

Together, this integration enables the ability to share information seamlessly between IncMan SOAR and McAfee products using OpenDXL, which leverages the power of OpenDXL for easy to use, feature rich integrations between products.

One of the most common and versatile use cases for OpenDXL within IncMan is integration with McAfee Threat Intelligence Exchange (TIE). McAfee TIE is a reputation broker which combines threat intelligence from imported global sources, such as McAfee Global Threat Intelligence (McAfee GTI) and third-party threat information (such as VirusTotal) with intelligence from local sources, including endpoints, gateways, and advanced analysis solutions. Using Data Exchange Layer (DXL), it instantly shares this collective intelligence across your security ecosystem, allowing security solutions to operate as one to enhance protection throughout the organization.

McAfee TIE makes it possible for administrators to easily tailor threat intelligence. Security administrators are empowered to assemble, override, augment, and tune the comprehensive intelligence information to customize protection for their environment and organization. This locally prioritized and tuned threat information provides instant response to any future encounters. Threat intelligence from McAfee TIE can be used to enrich indicators, such as file hashes, using IncMan’s R3 Rapid Response Runbooks to enable intelligent automated or manual decisions during the incident response process.

DFLabs IncMan also integrates with other McAfee tools. You can learn more about our integration with McAfee ATD and ePO in our previous blog posts.

Detect, Analyze and Respond to Advanced Malware with DFLabs SOAR Platform and McAfee ATD
Full Lifecycle Threat Management by Integrating DFLabs SOAR with McAfee ePO

DFLabs IncMan SOAR Platform Integrates with Recorded Future and Tufin

DFLabs is excited to announce two new technology partnerships with recognized industry leaders: Recorded Future and Tufin. Both Recorded Future and Tufin recently launched formal technology partnership programs and DFLabs is honored to be among the first technology partners to join. Each of these integrations adds significant value to the security programs of our joint customers, allowing them to more efficiently and effectively respond to computer security incidents and reduce risk across the organization.

Recorded Future Partnership

DFLabs’ new integration with Recorded Future allows joint customers to automate the retrieval of contextualized threat intelligence from Recorded Future, orchestrating these data enrichment actions into the overall incident response workflow. This enriched information can be used within the R3 Rapid Response Runbooks of IncMan SOAR to inform further automated decisions or can be reviewed by analysts as part of the response process.

DFLabs’ integration with Recorded Future includes five enrichment actions: Domain, File, IP and URL reputation queries, as well as a threat intelligence search action. Each of these enrichment actions will return all relevant intelligence on the queried entity, as well as a direct link to the Recorded Future Info Card.

DFLabs Incman SOAR recorded future partnership

Tufin Partnership

DFLabs’ new integration with Tufin allows joint customers to automate the retrieval of actionable network intelligence from Tufin’s rich sources of network data, providing further context surrounding the organization’s network, allowing for more informed automated and manual decisions. This network intelligence can be used within the R3 Rapid Response Runbooks of IncMan SOAR to make decisions based on numerous factors, such as network device information, simulated path information or network policy rules, or can also be reviewed by analysts as part of the response process.

DFLabs’ integration with Tufin includes five enrichment actions: Get Devices (get network device information based on the supplied parameters), Get Path and Get Path Image (simulate the path which would be taken based on source and destination IP and port information), Get Policies by Device (get network policies for the given device ID), Get Rule Count (get the number of rules which match the specified parameters), and Get Rules by Device (get network rules for the given device ID).

DFLabs IncMAn SOAR platform tufin partnership
See the DFLabs IncMan SOAR Platform Integrations in Action

Each of these new partnerships extends DFLabs automation and orchestration capabilities into new product spaces with some of the best solutions in their respective classes.

If you are attending the RSA Conference at the Moscone Center in San Francisco and would like to see DFLabs’ new integration with Tufin in action, I will be at the Tufin booth (#929) in the South Expo Hall on Wednesday, April 18th from 3:00 to 4:00 PM PST to provide a live demo and answer any questions.

Otherwise, for more information regarding our new Recorded Future and Tufin partnerships, please contact us to schedule a demo to see IncMan SOAR Platform in action here.

IncMan SOAR Platform Features – New and Improved

DFLabs is excited to announce the latest release of its industry-leading Security Orchestration, Automation and Response platform, IncMan version 4.3.  Solving customer’s problems and adding value to our customer’s security programs is one of our core goals here at DFLabs and this is reflected in our 4.3 release with over 100 enhancements, additions, and fixes; many suggested by customers, all designed to make the complex task of responding to potential security incidents faster, easier and more efficient.

IncMan 4.3 includes many new bidirectional integrations from a variety of product categories including threat intelligence, malware analysis, ticket management and endpoint protection, chosen to broaden the orchestration and automation capabilities of our customers.  These new bidirectional integrations include:

With IncMan 4.3, we have also greatly enhanced the flexibility of our R3 Rapid Response Runbooks with the addition of two new decision nodes; Filter and User Choice.  Filter nodes allow users to further filter and refine information returned by previously executed integrations; for example, filtering IT asset information to include only servers, focusing on key assets first.  Unlike automated Enrichment actions, automated Containment actions could have serious unintended impacts on the organization. User Choice nodes allow users to minimize this risk by allowing them to define critical junctions in the workflow at which a human must intervene and make a decision.  For example, human verification may be required before banning a hash value across the enterprise or quarantining a host pending further analysis.

incman soar platform

Improvements to our patent-pending Automated Responder Knowledge (DF-ARK) module allow IncMan to make even more intelligent decisions when suggesting response actions, and enhancements to IncMan’s correlation engine allow users a more advanced view of the threat landscape over time and across the organization.  IncMan’s report engine has been significantly bolstered, allowing users to create more flexible reports for a variety of purposes than ever before. Finally, numerous changes have been made to IncMan’s Dashboard and KPI features, allowing users to create more actionable KPIs and gather a complete picture of the organization’s current state of security at a moment’s glance.

These are just some of the highlights of our latest IncMan release; IncMan 4.3 includes many other enhancements designed to streamline your orchestration, automation and response process.  If you would like a demo of our latest release, please go to our demo request site. Stay tuned to our website for additional updates, feature highlights,  and demos of our latest release.