We released our Machine Learning Engine PRISM in our most recent 4.2 release. The first capability that we developed from PRISM is our Automated Responder Knowledge (ARK). This capability will change the way incident responders and SOC analysts respond to incidents, and how they share and transfer their entire knowledge to the rest of the team. The key to this capability is that it learns from your own analyst’s responses to historical incidents to guide the response to new ones.
We are not re-inventing the wheel with this feature. SOC and Incident Response teams have been doing this the old-fashioned way for a long time – through 6-12 months training. What we’re doing is providing a GPS and Satellite Navigation, guiding the wheel and giving you different paths to choose from according to the terrain you are in.
We do this by analyzing incidents and their associated attributes and observables, to work out how closely they are related. Then we can suggest actions and playbooks based on your organizations’ historical responses to similar threats and incidents.
Using Automated Responder Knowledge (ARK) in IncMan
Step 1: Not really a step – as it’s done automatically by Automated Responder Knowledge (ARK), but this occurs in the background for every incoming incident. Every Incident possesses a feature space1 that contains all the information related to it, composed of every attribute, associated observable and attached evidence. ARK analyses the feature spaces associated with every incident ever resolved. When a new incident is opened, it is scored and ranked and then compared by ARK to the historical model to identify related incidents or actions based on similar and shared attributes. The weighting of the ranking can be customized by analysts.
Step 2: Open the incident, selecting the applicable incident type. To save time, you can create an incident template to prepopulate some of the contexts automatically in future.
Step 3: Select Playbooks, and PRISM.
In the next screen, you will see a variety of suggested related actions and related incidents based on the feature space that your incident type is matched with. The slider at the top is used to determine the weighting in ranking for actions that are suggested. For example, if I move the slider to the left, the entire feature space actions appear, then if I move the slider to the far-right only a few actions appear from highly ranked incidents.
Step 4: Determine which automation and actions you want to use from the suggestions. After saving, you will be presented with options such as Auto-Commit, Auto-Run, Skip Enrichment, Containment, Notification or Custom Actions. You have the ability to select only the actions you want to automate. If you are concerned about running containment automatically, for example, you just deselect those options.
Step 5: The automated actions are executed, resolving the incident, based on prior machine-learning generated automated responder knowledge.
In this short blog series, I will be discussing and discussing IncMan management features to demonstrate some of the power user functions in our most recent IncMan 126.96.36.199 SP release. Today we will be focusing on how to use the queues feature in IncMan. This functionality has been designed for a SOC team that manages large volumes of incidents with a flexible assignment schedule. This is typically used by SOC’s with a large amount of alerts and incidents, Managed Service Solution Providers and Managed Detect and Response Providers.
- Let’s begin by navigating to “General Settings” which is found in the Settings section.
- Select the section titled “Queue Settings”. Add a new queue by clicking the “+” symbol. The queue will need an email address. This will be used to email the relevant group of users when this incident type is selected.
- Now create a queue name and add the required mailing list for this queue. Click save.
- Navigate to the incident view to start using this queue. Select the Tree Options in the top right of the incident list.
- You will see the new queue that we have created “My New Queue”, in this example. For this queue to become visible, please add it to the selected items list by clicking on “My New Queue”
- The new queue will now be available for usage. See below:
- When you create incidents or update your incident templates you will be able to select this new queue option, expand the queue to see the incidents assigned to it, or be able to click on the queue to show an overview of associated incidents.
In this blog series, I will be discussing DFLabs IncMan management features to highlight the really powerful capabilities that have become available to IncMan users as part of our latest 188.8.131.52 SP release:
Today we focus on the creation of user groups. This useful feature allows the creation of groups of related users, for example, Tier 1 analysts or IT Operations teams. The benefit of this is that a defined group can be assigned specific tasks. This could be for a variety of different reasons:
- To assign a task or incident that require a specific skill set
- To assign task or incident to a specific stakeholder group for review or further investigation.
- To notify specific stakeholders about an incident or investigation
- To escalate an incident to the next tier
The Group functionality can be leveraged in many features across IncMan. We will now step through the process of adding a User Group.
- Let’s create a group. You will need administrator privileges and the required group creation permission to do this. Once you have verified this is the case, please head to User Management -> Groups
- In this section, you can view or modify existing groups and create additional groups of your own. Click the ‘+’ symbol above the user list to create a new group.
- Enter the name that you want to use to identify the Group. It is generally a good practice to assign the associated user profiles and general profiles to the group. For this example, we only need the group name, so please complete that.
- You will now be able to see the newly created group. You will also be presented with a number of additional options. For instance, adding users or editing the existing group information.
- Next, lets add users to the group that we have just created. You can select the users you wish to add to the group from the user list. If you have a lot of users, you can use the filter to quickly search for users. Then save and continue.
- Now that we have created our group and added our users we can begin assigning tasks to this group. Let’s head to an incident and into a playbook to start using this.
- Within the incident playbook, we can assign tasks to individual users. As you scroll down now, you will also notice that a new option is available, with the group name that we created.
- Having created our user group, we can assign Ownership and Authorization to our group instead of to a single user.
A collaborative environment between IT and security groups is critical. The number of cyber security incidents currently impacting networks and customers is increasing exponentially and mitigating security incidents and risks is more complex than ever before. Timely and effective communication are keys to improved collaboration between all parties involved in the cyber incident response process. One of the simplest and most effective methods to improve communication between all relevant IT and security groups is to deploy a common, shared platform where stakeholders can review and analyze incidents across the entire cyber landscape. A cross-departmental platform enables them to focus on correlating cyber incidents and risks with contextual information relevant to their role and responsibilities plays a significant part in organizational success in this regard.
Incorporating knowledge transfer between disparate business entities often separated both geographically and functionally is essential to facilitate a better understanding of the current IT and security challenges. The preferred method to provide this collaborative environment is via electronic based communication mediums and devices. To tie all of these channels together, an organization should consider deploying a cyber incident response platform, and the platform must be able to integrate these technologies, be it SMS, email or other messaging medium, to cover the broadest range of communication channels to transmit critical information to stake holders.
Another successful strategy that focuses on effectively communicating timely, critical information to relevant stakeholders is via the creation of an incident notification group. IncMan supports the creation of groups of Watchers that are appraised of incidents and activities automatically via SMS, email or an integrated communications system. A Watcher group can ensure that information is properly communicated to the appropriate stakeholder(s). This provides differing stakeholders with the capability of monitoring incidents that may impact business continuity. Additionally, IncMan has integrated communications capabilities comply with industry best practices which recommend having a separate, secure and hardened communications channel if email or other internal communication channels are compromised. This independent messaging capability also provides additional benefits such as asymmetric encryption capabilities.
Leveraging a dedicated solution that can orchestrate the communications to stakeholders standardizes the process of cyber incident response and mitigation and is the key to ensuring a more effective response. If you would like more information or a free no obligation demonstration of how IncMan from DFLabs can more effectively automate and orchestrate your incidents please contact us at [email protected]
The DNA sequence for each human is 99.5% similar to any other human. Yet when it comes to incident response and the manner in which individual analysts may interpret the details of a given scenario, our near-total similarity seems to all but vanish. Where one analyst might characterize an incident as the result of a successful social engineering attack, another may instead identify it as a generic malware infection. Similarly, a service outage may be labeled as a denial of service by some, while others will choose to attribute the root cause to an improper procedure carried out by a systems administrator. Root cause and impact, or incident outcome, are just a couple of the many considerations that, unless properly accounted for in a case management process, will otherwise play havoc on a security team’s reporting metrics.
Poor Key Performance Indicators can blind decision makers
What is the impact of poor KPI’s? All too often the end result leads to equally poor strategic decisions. Money and effort may be assigned to the wrong measures, for example into more ineffective prevention controls instead of improved response capability. In a worst case scenario, poor KPI’s can blind decision makers to the most pertinent security issues of their enterprise, and the necessary funding for additional security may be withheld altogether.
Three best practices are required to address this all too common problem of attaining accurate reporting:
- A coherent incident management process is necessary in order to properly categorize incident activity. Its definitions must be clear, taking into account outliers, clarifying how root causes and impacts are to be tracked, and providing a workflow to assist analysts in accurately and consistently determining incident categorization.
- The process must be enforced to guarantee uniform results in support of coherent KPI’s. Training, quality assurance, and reinforcement are all necessary to ensure total stakeholder buy-in.
- Security teams must have the technologies to support effective incident response and proper categorization of incidents.
There are several ways that the IncMan platform supports the three best practices:
First, IncMan provides a platform to act as the foundation for an incident management program. It provides customizable incident forms allowing for complete tailoring to an organization and the details it must collect in support of its unique reporting requirements. Custom fields specific to distinct incident types allow for detailed data collection and categorization. These custom fields can be coupled with common attributes to track specific data, thereby providing a high level of flexibility for security teams in maintaining absolute reporting consistency across the team’s individual members.
Next, playbooks can be associated with specific incident types, providing step-by-step instructions for specialized incident response activities. Playbooks enforce consistency and can further reinforce reporting requirements. However, playbooks are not completely static, and while they certainly provide structure, IncMan’s playbooks also offer the ability to improvise, add, remove or substitute actions on the fly.
The platform’s Knowledge Base offers a repository for reference material to further supplement playbook instructions. Information collection requirements defined within playbook steps can be linked to Knowledge Base references, arming analysts with added information, for example with standard operating procedures pertaining to individual enterprise security tools, or checklists for applicable industry reporting requirements.
IncMan also includes Automated Responder Knowledge (ARK), a machine learning driven approach that learns from past incidents and the response to them, to suggest suitable playbooks for new or related incident types. This is not only useful for helping to identify specific campaigns and otherwise connected incident activity but can also highlight historical cases that can serve as examples for new or novice analysts.
Finally, the platform’s API and KPI export capabilities enable the extraction of raw incident data, allowing for data mining of valuable reporting information using external analytics tools. This information can then be used to paint a much clearer picture of an enterprise’s security posture and allow for fully-informed strategic decision-making.
Collectively, the IncMan features detailed above empower an organization with the means to support consistency in incident categorization, response, and reporting. For more information, please visit us at https://www.dflabs.com
I can remember sometime around late 2001 or early 2002, GREPing Snort logs for that needle in a haystack until I thought I was going to go blind. I further recall around the same time cheering the release of the Analysis Console for Intrusion Databases (ACID) tool which helped to organize the information into something that I could start using to correlate events by way of analysis of traffic patterns.
Skip ahead and the issues we faced while correlating data subtly changed from a one-off analysis to a lack of standardization for the alert formats that were available in the EDR marketplace. Each vendor was producing significant amounts of what was arguably critical information, but unfortunately all in their own proprietary format. This rendered log analysis and information tools constantly behind the 8-ball when trying to ingest all of these critical pieces of disparate event information.
We have since evolved to the point that log file information sharing can be easily facilitated through a number of industry standards, i.e., RFC 6872. Unfortunately, with the advent of the Internet of Things (IoT), we have also created new challenges that must be addressed in order to make the most effective use of data during event correlation. Specifically, how do we quickly correlate and review:
a. Large amounts of data;
b. Data delivered from a number of different resources (IoT);
c. Data which may be trickling in over an extended period of time and,
d. Data segments that, when evaluated separately, will not give insight into the “Big Picture”
How can we now ingest these large amounts of data from disparate devices and rapidly draw conclusions that allow us to make educated decisions during the incident response life cycle? I can envision success coming through the intersection of 4 coordinated activities, all facilitated through event automation:
1. Event filtering – This consists of discarding events that are deemed to be irrelevant by the event correlator. This is also important when we seek to avoid alarm fatigue due to a proliferation of nuisance alarms.
2. Event aggregation – This is a technique where a collection of many similar events (not necessarily identical) are combined into an aggregate that represents the underlying event data.
3. Event Masking – This consists of ignoring events pertaining to systems that are downstream of a failed system.
4. Root cause analysis – This is the last and quite possibly the most complex step of event correlation. Through root cause analysis, we can visualize data juxtapositions to identify similarities or matches between events to detect, determine whether some events can be explained by others, or identify causational factors between security events.
The results of these 4 event activities will promote the identification and correlation of similar cyber security incidents, events and epidemiologies.
According to psychology experts, up to 90% of information is transmitted to the human brain visually. Taking that into consideration, when we are seeking to construct an associational link between large amounts of data we, therefore, must be able to process the information utilizing a visual model. DFLabs IncMan™ provides a feature rich correlation engine that is able to extrapolate information from cyber incidents in order to present the analyst with a contextualized representation of current and historical cyber incident data.
As we can see from the correlation graph above, IncMan has helped simplify and speed up a comprehensive response to identifying the original infection point of entry into the network and then visual representing the network nodes that were subsequently affected, denoted by their associational links.
The ability to ingest large amounts of data and conduct associational link analysis and correlation, while critical, does not have to be overly complicated, provided of course that you have the right tools. If you’re interested in seeing additional capabilities available to simplify your cyber incident response processes, please contact us for a demo at [email protected]
DFLabs previews new cyber incident response playbook for Asian regulatory environment
Boston – November 7, 2016 – DFLabs, the global leader in cyber incident response automation and orchestration, announced today its Vice President of Engineering, Andrea Fumagalli, will present on “Standardizing Data Breach Response: State of the Art” at Data Privacy Asia 2016, to be held November 9-11 in Singapore at the One Farrer Hotel & Spa. DFLabs will also preview a new playbook dedicated to breach notification, response and compliance activities specific to the Asian regulatory environment.
One of the largest data sets on the market, the IncMan RP playbook is a unique new module of the company’s cyber incident response automation and orchestration platform, IncMan. The playbook is based on U.S. and EU regulations and industry standards and gives customers immediate access to a large number of pre-built incident and data breach response actions to follow. Providing the most playbooks available today to handle the entire breach response process – from technical to operational and legal – it is divided into state/federal, industry sector and type of incident/breach segments and works with both human and machine based processes.
“Active data breach and privacy regulations are making incident response platforms mandatory and our commercial and government customers in Singapore and Asia are working very hard to establish the right framework for cyber incident and breach response. As the first mover in fast growing categories of Security Operations, Analytics and Reporting (SOAR) and Security Incident Response Platforms (SIRP), we are happy and proud to participate in this important event, educate on global standards and best practices, and serve customers with our unique new playbooks,” said Dario Forte, Founder and CEO of DFLabs.
In his Data Privacy Asia 2016 session on Wednesday, November 9th from 4:00pm- 4:30pm, Fumagalli will cover the recent progress made by ISO (International Organization for Standardization) in the field of Incident and Data Breach Response. In the past 36 months 5 standards have been published, with the purpose of providing practitioners and evaluator a series of tools – based upon consensus – able to support Cyber Security Operations and Breach Response. As one of the most recognized experts in ISO standards, he will give an overview on the entire spectrum, along with some insights on how to implement them within any size of the organization, including an overview of the available technologies to automate and orchestrate incident management and response.
“These developments further our vision of Supervised Active Intelligence® to combine automation, orchestration, and response in one powerful platform, giving cyber operations and incident response teams the ability to react faster globally while maintaining the critical element of human control,” added Forte.
DFLabs is a recognized global leader in cyber incident response automation and orchestration. The company is led by a management team recognized for its experience in and contributions to the information security field including co-edited many industry standards such as ISO 27043 and ISO 30121. IncMan – Cyber Incidents Under Control – is the flagship product, adopted by Fortune 500 and Global 2000 organizations worldwide. DFLabs has operations in Europe, North America, Middle East, and Asia with US headquarters in Boston, MA and World headquarters in Milano, Italy. For more information visit: DFLabs or connect with us on Twitter @DFLabs.
Leslie Kesselring, Kesselring Communications