National Cybersecurity Awareness Month – Understanding the Benefits of Implementing SOAR Technology

About National Cybersecurity Awareness Month (NCSAM)

Every year since 2004, October has been recognized and celebrated as National Cybersecurity Awareness Month (NCSAM). NCSAM was created in a united effort between the Department of Homeland Security and the National Cyber Security Alliance to raise awareness on a variety of cybersecurity issues. NCSAM has grown exponentially over the years, reaching consumers, small and medium-sized businesses, corporations, government entities, the military, educational institutions, and young people nationally and internationally. NCSAM was designed with one goal, to engage and educate the public as well as the private sector partners through a series of events and initiatives with the goal of raising awareness about cybersecurity in order to increase the resiliency of the nation in the event of facing cyber incidents. This unified effort is necessary to maintain a cyberspace that is safer and more resilient and remains a source of tremendous opportunity and growth for years to come.

What’s New in 2018

This year, National Cybersecurity Awareness Month (NCSAM) focuses on internet security as a shared responsibility among consumers, businesses and the cyber workforce. NCSAM 2018 aims to “shine a spotlight on the critical need to build a strong, cyber-secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected.” The month is divided into four week-long topics:

Week 1 (Oct. 1–5): Make Your Home a Haven for Online Safety
Week 2 (Oct. 8–12): Millions of Rewarding Jobs — Educating for a Career in Cybersecurity
Week 3 (Oct. 15–19): It’s Everyone’s Job to Ensure Online Safety at Work
Week 4 (Oct. 22–26): Safeguarding the Nation’s Critical Infrastructure

Staying Safe Online

This month, organizations should make it a priority to build on their existing cybersecurity knowledge and practices, better understand the current cyber threats impacting their industry. With the spotlight on security, NCSAM is a great time to review current cybersecurity strategies and map out strategic actions that could be undertaken to secure the organization’s infrastructure as much as possible.

Even though preventing every single attack is an impossible mission, all stakeholders within any organization, regardless of their position, capability or involvement within cybersecurity should aim to increase their security knowledge, as one phishing attack could have devastating consequences. Working towards increasing levels of awareness and training, strengthening partnerships and defenses, exchanging valuable information, and with advancing technology will help organizations to protect their brands and valuable assets.

With that being said, we know from experience that today cyber attacks are inevitable and regardless of the vast number of preventative measures we take to protect ourselves, our businesses and our infrastructure are still at risk.  We can never be 100% certain that they are fully secure. Therefore it is key that organizations also have an appropriate and in-depth incident response plan in place in order to be able to respond efficiently and effectively to any type of incident that should unfortunately occur.

How SOAR Technology Helps To Improve Incident Response

Effective cyber defense demands a team effort where employees, end users, and enterprises recognize their shared role in reducing cybersecurity risks. As the ever-evolving cybersecurity landscape poses new challenges, companies are pushed even more to combat the growing number and even more sophisticated levels of cyber attacks. Organizations across all sectors and industries are a potential target. Security operations teams need to be prepared to respond to existing as well as to new types of cyber threats, in order to fully defend and protect their company assets.

As prevention is becoming increasingly difficult for security teams, some organizations also tend to have a weakness when it comes to incident response and the processes and workflows that should be implemented in order to minimize the impact. The main reasons why companies are failing at Incident Response is due to a number of factors including but not limited to inadequate resources, lack of skilled analysts, failure to manage phases, task overload and more.

Adopting a complete and comprehensive Security Orchestration, Automation and Response (SOAR) solution can go a long way towards preventing and mitigating the consequences of cyber incidents. The deployment of a SOAR solution can help alleviate a number of current security operations challenges (including the growing number of alerts, increased workloads and repetitive tasks, current talent shortage and competition for skilled analysts, lack of knowledge transfer and budget constraints), while improving the overall organization’s security posture by eliminating the most-common scenarios of resource-constrained security teams struggling to identify critical cyber incidents.

Some of the key benefits of using a Security Orchestration, Automation and Response (SOAR) solution are outlined below.

Top 10 Benefits of Adopting a SOAR Solution
  • Acts as a force multiplier for security teams
  • Automates manual repetitive processes to avoid alert fatigue
  • Responds to all security alerts eliminating false positives
  • Decreases the time to detect, remediate and resolve incidents
  • Simplifies incident response and investigation processes
  • Integrates with existing security operations tools and technologies
  • Improves the overall efficiency and effectiveness of existing security programs
  • Reduces operational costs and improves ROI
  • Minimizes the risk and damage resulting from incidents
  • Meets legal and regulatory compliance (e.g. NIST and GDPR) including incident reporting and breach notification
Security Orchestration, Automation and Response With DFLabs IncMan SOAR Platform

DFLabs’ IncMan SOAR platform provides a complete and comprehensive solution to streamline the full incident response lifecycle. IncMan SOAR, is designed for SOCs, CSIRTs and MSSPs to automate, orchestrate and measure security operations and incident response processes and tasks, all from within one single, intuitive platform. IncMan SOAR is easy to implement and use, allowing you to leverage the capabilities of your existing security infrastructure and assets.

Take this October’s national cybersecurity awareness month seriously and do your part in learning something new which could help your organization to better protect itself. Contact us today to organize a bespoke demonstration and to discuss your individual requirements.

CISO Challenges and the Best Way to Manage Them

Faced with a growing threat landscape, a shortage of skilled cyber security professionals, and non-technical employees who lack awareness of cyber security best practices, to name a few, CISOs are continuously confronted with a number of existing and new challenges. To mitigate some of these challenges by eliminating security threats and minimizing security gaps, they must make some critical strategic decisions within their organizations.

Even though we are only at the beginning of April, 2018 is already proving to be a year of increasing cyber incidents, with security threats spanning across a range of industry sectors, impacting both the private and public sectors alike. We have seen many data breaches including Uber, Facebook and Experian that have made it clear that no organization, not even the corporate giants, are safe from these cyber threats and attacks.  We are now also seeing newly evolving threats affecting the popular and latest smart devices including products such as Alexa and Goоgle Home. New technology not fully tested, or security vulnerabilities from IoT devices being brought into the workplace, now bring additional concerns for CISOs and their security teams, as they try to proactively defend and protect their corporate networks.

This problem seems quite simple to identify in that corporate policies are not being updated fast enough to keep up with dynamic changes and advancements in technology, as well as to cope with the increasing sophistication of advancing threats, but managing this problem is seemingly more difficult. This generates an additional set of challenges for CISOs to enforce policies that still need to be written, while conquering internal corporate bureaucracy to get them created, modified or updated. This is just one challenge. Let’s now discuss a few more and some suggested actions to manage them.

How CISOs Can Overcome Their Challenges

CISOs in international corporations need to focus on global compliance and regulations to abide with a range of privacy laws, including the upcoming European Union’s General Data Protection Regulation (GDPR). This new regulation due to come into force on May 25th, 2018 has set the stage for protection of consumer data privacy and in time we expect to see other regulations closely follow suite. International companies that hold EU personal identifiable information inside or outside of the EU will need to abide by the regulation and establish a formalized incident response procedure, implement an internal breach notification process, communicate the personal data breach to the data subject without delay, as well as notify the Supervisory Authority within 72 hours, regardless of where the breach occurred. Organizations need to report all breaches and inform their affected customers, or face fines of up to 20 million Euros or four percent of annual turnover (whichever is higher). A new law called the Data Security and Breach Notification Act is also being worked on presently by the U.S. Senate to promote this protection for customers affected.  This new legislation will impose up to a five year prison sentence on any individual that conceals a new data breach, without notifying the customers that had been impacted.

So how can CISOs proactively stay ahead of the growing number of cyber security threats, notify affected customers as soon as possible and respond within 72 hrs of a breach? The key is to carry out security risk assessments, implement the necessary procedures, as well as utilize tools that can help facilitate Security Orchestration, Automation and Response (SOAR), such as the IncMan SOAR platform from DLFabs. IncMan has capabilities to automate and prioritize incident response and related enrichment and containment tasks, distribute appropriate notifications and implement an incident response plan in case of a potential data breach.  IncMan handles different stages of the incident response and breach notification process including providing advanced reporting capabilities with appropriate metrics and the ability to gather or share intelligence with 3rd parties. This timely collection of enriched threat intelligence helps expedite the incident response time and contribute to better management of the corporate landscape.

The Need to Harden New Technology Policies

Endpoint protection has also become a heightened concern for security departments in recent months, with an increasing number of organizations facing multiple ransomware and zero days attacks. New technologies used by employees within the organization, not covered by corporate policies, such as Bring Your Own Device (BYOD) and the Internet of things (IoT) have brought new challenges to the CISOs threat landscape. One example as we mentioned earlier are gadgets such as Alexa or Google Home, where users bring them into the office and connect them to the corporate WIFI or network without prior approval. When connected to the network, they can immediately introduce vulnerabilities and access gaps in the security network that can be easily exploited by hackers.

Devices that are not managed under corporate policies need to be restricted to a guest network that cannot exploit vulnerabilities and should not be allowed to use Wi-Fi Protected Access (WPA).  CISOs need to ensure that stricter corporate policies are implemented to restrict and manage new technologies, as well as utilizing tools such as an Endpoint Protection Product (EPP) or Next-Generation Anti Virus (NGAV) solution to help prevent malware from executing when found on a user machine. NAGV tools can learn the behaviors of the endpoint devices and query a signature database of vaccines for exploits and other malware on real time to help expedite containment and remediation to minimize threats.

Maximizing Resources With Technology as a Solution

With the significant increase in the number of and advancing sophistication of potential cyber security threats and security alerts, combined with a shortage of cyber security staff with the required skill set and knowledge, CISOs are under even more pressure to protect their organizations and ask themselves questions such as: How do I effectively investigate incidents coming in from so many data points? How can I quickly prioritize incidents that present the greatest threat to my organization? How can I reduce the amount of time necessary to resolve an incident and give staff more time hunting emerging threats?

They will need to assess their current organization security landscape and available resources, while assessing their skill level and maturity.  Based on the company size it may even make business sense to outsource some aspects, for example by hiring a Managed Security Service Provider (MSSP) to manage alert monitoring, threat detection and incident response. CISOs should also evaluate the range of tools available to them and make the decision whether they can benefit from utilizing Security Orchestration, Automation and Response (SOAR) technology to increase their security program efficiency and effectiveness within their current structure.

Security Infrastructure and Employee Training Are Paramount

In summary, CISOs will be faced with more advancing challenges and increasing threats and these are only set to continue over the coming months. They should ensure that their security infrastructures follow sufficient frameworks such as NIST, ISO, SANS, PCI/DSS, as well as best practices for application security, cloud computing and encryption.   

They should prepare to resource their security teams with adequate technology and tools to respond to threats and alerts and to minimize the impact as much as feasibly possible, with set policies and procedures in place. To enforce security best practices across all departments of the company, it is important that security decisions are fully understood and supported by the leadership team as well as human resources, with a range of corporate policies to meet the challenges of ever changing technologies.

CISOs need to promote security best practices and corporate policies, industry laws regulations and compliance by educating and training relevant stakeholders, starting with employees. The use of workshops, seminars, websites, banners, posters and training in all areas of the company will heighten people’s awareness to threats and exploits, increasing their knowledge, while also teaching them the best way to respond or to raise the alarm if there is a potential threat. The initial investment in education and training may be a burden on time and resources but in the long run will prove beneficial and could potentially prevent the company from experiencing a serious threat or penalty from non-compliance.

Completing a full analysis of current resources, skill sets and security tools and platforms will all play a part when deciding whether in-house or outsourced security operations is the best approach, but the benefits of using SOAR technology to leverage existing security products to dramatically reduce the response and remediation gap caused by limited resources and the increasing volume of threats and incidents, as well as to assist with important breach notification requirements, should not be overlooked.

IncMan SOAR Platform Features – New and Improved

DFLabs is excited to announce the latest release of its industry-leading Security Orchestration, Automation and Response platform, IncMan version 4.3.  Solving customer’s problems and adding value to our customer’s security programs is one of our core goals here at DFLabs and this is reflected in our 4.3 release with over 100 enhancements, additions, and fixes; many suggested by customers, all designed to make the complex task of responding to potential security incidents faster, easier and more efficient.

IncMan 4.3 includes many new bidirectional integrations from a variety of product categories including threat intelligence, malware analysis, ticket management and endpoint protection, chosen to broaden the orchestration and automation capabilities of our customers.  These new bidirectional integrations include:

With IncMan 4.3, we have also greatly enhanced the flexibility of our R3 Rapid Response Runbooks with the addition of two new decision nodes; Filter and User Choice.  Filter nodes allow users to further filter and refine information returned by previously executed integrations; for example, filtering IT asset information to include only servers, focusing on key assets first.  Unlike automated Enrichment actions, automated Containment actions could have serious unintended impacts on the organization. User Choice nodes allow users to minimize this risk by allowing them to define critical junctions in the workflow at which a human must intervene and make a decision.  For example, human verification may be required before banning a hash value across the enterprise or quarantining a host pending further analysis.

incman soar platform

Improvements to our patent-pending Automated Responder Knowledge (DF-ARK) module allow IncMan to make even more intelligent decisions when suggesting response actions, and enhancements to IncMan’s correlation engine allow users a more advanced view of the threat landscape over time and across the organization.  IncMan’s report engine has been significantly bolstered, allowing users to create more flexible reports for a variety of purposes than ever before. Finally, numerous changes have been made to IncMan’s Dashboard and KPI features, allowing users to create more actionable KPIs and gather a complete picture of the organization’s current state of security at a moment’s glance.

These are just some of the highlights of our latest IncMan release; IncMan 4.3 includes many other enhancements designed to streamline your orchestration, automation and response process.  If you would like a demo of our latest release, please go to our demo request site. Stay tuned to our website for additional updates, feature highlights,  and demos of our latest release.

How DFLabs IncMan Tackles Meltdown and Spectre Vulnerabilities

Following on from my recent blog post entitled “Meltdown and Spectre – What They Mean to the Enterprise” published in January, I wanted to take a closer look at how these types of hardware vulnerabilities could (and should) easily be detected, managed and mitigated using Security Orchestration, Automation and Response (SOAR) technology, for example with a platform such as IncMan from DFLabs.

Using Meltdown and Spectre as a use case, I wanted to enlighten you about the automated processes an organization can undertake.  There are many pros and cons for using automation, but if used in the correct way it can significantly improve Security Operations Center (SOC) efficiencies, saving security analyst many man hours of mundane tasks.  Alerts can also potentially be responded to and contained before an analyst has even been notified.  Using IncMan’s integrations and R3 Rapid Response Runbooks, SOCs can quickly respond to such an alert when a vulnerability is detected.  The overall goals would be as follows, in order to reduce the risk these vulnerabilities present to the organization.

1)  Automatically receive alerts for the host which have been identified as being vulnerable to Meltdown or Spectre.

2) Create an Incident and perform automated Notification, Enrichment and Containment tasks.

Implementation

Let’s move on to the implementation stages.  Where should you start? For ease I will break it down into 3 simple sections, creating a runbook, utilizing the rebook and seeing the runbook in action.  So, let’s begin…

Creating an R3 Rapid Response Runbook

The first step in reducing the risk from the Meltdown and Spectre vulnerabilities is to create a runbook to handle alerts for newly detected vulnerable hosts.  In this use case, we will use integrations with Jira, McAfee ePO, McAfee Web Gateway, MSSQL Server and QRadar to perform Notification, Enrichment and Containment actions; however, this can easily be adapted to include any other technology integrations as well.

 

Meltdown and Spectre Vulnerabilities

 

Using a Jira Notification action, a new Jira issue is created.  This Notification action should notify the IT or Infrastructure teams and initiate the organizations’ normal vulnerability management process.

Next, an MSSQL Server Enrichment action is used to query an IT asset inventory for the host name of the vulnerable host, which is passed to the runbook automatically when the incident is created.  This asset information is then available to the analyst for further review.

Once the IT asset information is retrieved, a decision point is reached.  If the IT asset information indicates that the host is a server, one path (the top path) is taken.  If the IT asset information indicates that the host is not a server, another path (the bottom path) is taken.

If the asset is determined to be a server the Jira Enrichment action is used to update the Jira issue, informing the appropriate parties that the host has been determined to be a server and should be treated as a higher priority.  Next, two McAfee ePO Enrichment actions are performed.  The first Enrichment action queries McAfee ePO for the system information of the given host name, providing the analyst with additional information.  The second Enrichment action uses McAfee ePO to tag the host with the appropriate tag.  Finally, a Task is added to IncMan reminding the analyst to follow up with the appropriate teams to ensure that the vulnerability has been appropriately mitigated.

If the asset is determined not to be a server, the two previously mentioned McAfee ePO Enrichment actions are immediately be run (System Info and TAG).  Following these two Enrichment actions, a McAfee Web Gateway Containment action is used to block the host from communicating outside of the network.  This Containment step is completely optional but is performed here on non-servers only to minimize the Containment action’s potential impact on critical systems.

Utilizing the R3 Rapid Response Runbook

Once the new runbook is created, IncMan must be told how and when to automate the use of this runbook.  This is achieved by creating an Incident Template, which will be used any time an incident is generated for a Meltdown or Spectre vulnerability.  Through this incident template, critical pieces of information such as Type, Summary, Category can be automatically applied to the newly created incident.

 

Meltdown and Spectre Vulnerabilities 1

 

From the Runbook tab of the Incident Template wizard, the previously created Meltdown and Spectre runbook is selected and set to autorun.  Each time this template is used to generate an incident, the appropriate information such as host name and host IP address will be used as inputs to the runbook and the runbook will be automatically executed.

 

Meltdown and Spectre Vulnerabilities 2

 

In this use case, alerts from QRadar are utilized to initiate automatic incident creation within IncMan.  However, another SIEM integration, syslog or email could also be utilized to achieve the same outcome.  A new QRadar Incoming Event Automation rule is added and the defined action is to generate a new incident from the previously created Meltdown and Spectre Incident Template.

 

Meltdown and Spectre Vulnerabilities

 

Solution in Action

When a QRadar Alert is generated matching the criteria defined for a Meltdown or Spectre vulnerability detection, IncMan will automatically generate a new incident based on the Meltdown and Spectre Incident Template.

 

Meltdown and Spectre Vulnerabilities

 

Without requiring any action on the part of an analyst, the Meltdown and Spectre runbook is automatically initiated, performing the defined Notification, Enrichment and Containment actions.(In the example shown here, the ‘server’ path is taken).

 

Meltdown and Spectre Vulnerabilities 5

 

Conclusion

How easy was that?  The entire process has taken place in a matter of minutes, likely before anyone has even had time to acknowledge the alert.  As an analyst begins to manually examine the alert, many of the mundane tasks have already been completed, allowing the analyst to focus on the tasks which require human intervention and reducing the time required to remediate this issue, ultimately reducing risk to the organization.

IncMan has over 100 customizable playbooks for similar use cases like this.  If you would like to see IncMan in action, please do feel free to request a demo.

100-Day Countdown to GDPR

For many of us around the world February 14th marks St. Valentine’s Day, but for those of us in Europe, this date also marks the beginning of the 100-day countdown to the upcoming enforcement of the General Data Protection Regulation (GDPR).

As most of us are already aware the EU GDPR was adopted in April 2016 and is due to be formally imposed on May 25th, 2018. In a nutshell for those who are not quite so GDPR savvy, the GDPR emphasizes transparency, security, and accountability by data controllers and introduced mandatory Data Protection Impact Assessments (DPIAs) for those organizations involved in high-risk processing. For example, where a new technology is being deployed, where a profiling operation is likely to significantly affect individuals or where there is large-scale monitoring of a publicly accessible area.

Breach Notification Requirements

A DPIA is the process of systematically considering the potential impact allowing organizations to identify potential privacy issues before they arise and come up with a way to mitigate them. In addition, and a highly important aspect for Security Operation Centers (SOCs) and Computer Security Incident Response Teams (CSIRTs) to be fully aware of and responsive to, data processors must implement an internal breach notification process and inform the supervisory authority of a breach within 72 hours. They must also communicate the breach to affected data subjects without due delay or consequently face a penalty of up to EUR 20,000.00 or 4% of worldwide annual turnover for the preceding financial year, whichever is greater.

Incident Response Processes and Best Practices

As the number of breaches has risen and cyber attacks have become more sophisticated, authorities have recognized a need for increased data protection regulation. The number of simultaneous processes required in a typical forensic or Incident Response Scenario has also grown. Processes need to cover a broad spectrum of technologies and use cases must be standardized, and must perform clearly defined, fully documented actions based upon regulatory requirements, international standards and established best practices.

Additionally, context enrichment and threat analysis capabilities must be integrated to facilitate and automate data breach reporting and notification within the timeframe specified by GDPR. Lastly, customized playbooks must be created to permit rapid response to specific incident types, aid in prioritizing tasks, assignment to individual stakeholders, and to formalize, enforce and measure specific workflows.

Incident Response Management with DFLabs IncMan

Having a platform in place to formalize and support these requirements is crucial. DFLabs IncMan provides all the necessary capabilities to facilitate this. Not only do organizations need an Incident Response plan, they must also have a repeatable and scalable process, as this is one of the steps towards compliance with the GDPR’s accountability principle, requiring that organizations demonstrate the ways in which they comply with data protection principles when transacting business. They must also be able to ensure that they will meet the 72-hour breach notification requirement or face a stiff penalty.

Find out how IncMan can help you become GDPR compliant

Organizations must establish a framework for accountability, as well as a culture of monitoring, reviewing and assessing their data processing procedures to detect, report and investigate any personal data breach. IncMan implements granular and use-case specific incident response procedures with data segregation and critical security control requirements. To enable Incident Response and breach notification in complex organizations and working across different regions, IncMan can be deployed as a multi-tenant solution with granular role-based access.

Cutting Response Time and Accelerating Incident Containment

Automated responses can be executed to save invaluable time and resources and reduce the window from discovery to containment for an incident. Organizations can easily prepare advanced reports from an automatically collected incident and forensic data, and distribute notifications based on granular rules to report a breach and notify affected customers when required to comply with GDPR and avoid a financial penalty.

Finally, the ability to gather and share intelligence from various sources by anonymizing the data to share safely with 3rd party protect the data without inhibiting the investigation. IncMan contains a Knowledge Base module to document playbooks, threat assessment, situational awareness and best practices which could be shared and transferred across the organization.

IncMan and Fulfilling GDPR Requirements

In summary, DFLabs IncMan Security Automation and Orchestration platform fulfills the requirements of GDPR by providing capabilities to automate and prioritize Incident Response through a range of advanced playbooks and runbooks, with related enrichment, containment, and threat analysis tasks. It distributes appropriate notifications and implements an Incident Response plan (IRP) in case of a potential data breach, with formalized, repeatable and enforceable incident response workflows.

IncMan handles different stages of the Incident Response and Breach Notification Process, providing advanced intelligence reporting with appropriate metrics, with the ability to gather or share intelligence with 3rd parties as required.

So, this Valentine’s Day, we hope that you are enjoying a romantic dinner for two, knowing that your SOC and CSIRT, as well as the wider organization, has the necessary incident response and incident management best practices implemented to sufficiently meet the upcoming GDPR requirements in 100 days’ time. If not, speak to one of our representatives to find out more.

Find out how IncMan can help you become GDPR compliant

IncMan’s GSN Awards Highlighting the Importance of Intelligence-Driven Security Monitoring, Automation and Orchestration

The cyber security industry today offers a wide variety of solutions aiming to mitigate attacks that are becoming more common and more sophisticated, making it increasingly difficult to detect, manage and respond to breaches as effectively and as efficiently as possible. But, the fact alone that there is no shortage of potential solutions out there to choose from, doesn’t make the challenge of having to deal with the overwhelmingly frequent and complex attacks less grueling. In fact, it can make the task that much more daunting, with the vast pool of tools and platforms available making it difficult for CISOs to decide which solutions to adopt, considering that there is rarely one that addresses all the different security elements required, as well as the specific organizational needs, such as affordability and ease of implementation and management.

With that in mind, it’s safe to say that a solution capable of covering as many angles of the cybersecurity spectrum as possible would serve well to organizations being faced with data breaches on a regular basis. It’s exactly that ability to cover multiple aspects of an organization’s cybersecurity defense that makes DFLabs’ IncMan stand out from the crowd, and one of the factors that helped it to achieve two highly coveted awards at the latest edition of the prestigious GSN Homeland Security Awards.

Holistic Approach to Incident Management and Response

The two platinum awards received by DFLabs were in the Best Continuous Monitoring & Mitigation, and Best Cyber Operational Risk Intelligence Solution categories, respectively. This highlights IncMan’s versatility and ability to save valuable time when responding to an incident and when helping to detect and prevent future attacks.

Computer Security Incident Response Teams (CSIRTs) can benefit immensely from features such as automated collection of threat intelligence, triage, threat containment, as well as processes that help make threat hunting and investigation more efficient. With these types of functionalities, platforms like IncMan help cut incident resolution times drastically and improve the effectiveness of CSIRTs, significantly increasing their incident handling capacity.

Intelligence-Driven Actions

The above capabilities that IncMan boasts are in large part a result of the background in law enforcement and intelligence of the people who were involved in creating the platform. These experiences have allowed them to better understand the challenges security teams face when trying to resolve an incident and address their needs in terms of dealing with continuously increasing number of alerts, underlining the necessity of automating certain tasks and adopting an orchestrated approach to incident response.  As the nature of cyber security attacks continues to evolve over time, so does the sophistication and capabilities of the platform to ensure organizations always remain one step ahead.

3 Ways to Create Cyber Incidents in DFLabs IncMan

At the heart of incident response, and by extension of Security Automation and Orchestration technologies, resides the Cyber Incident. A typical definition of a cyber security incident is “Any malicious act or suspicious event that compromises or attempts to compromise, or disrupts or tries to disrupt, a critical cyber asset”. Almost everything we do in a SOC or a CSIRT is based on incidents, and there are a variety of potential incident sources, for example:

  1. Alerts from cyber security detection technologies such as Endpoint Detection & Response or User Entity Behavior Analytics tools
  2. Alerts from Security Information & Event Management Systems (SIEM)
  3. Emails from ITSM or case management systems
  4. Website submissions from internal stakeholders and whistle-blowers
  5. Phone calls from internal users and external 3rd parties

This diversity of incident sources means that a solid SAO solution must offer a variety of different methods to create incidents. Regulatory frameworks also frequently mandate being able to originate incidents from different sources. DFLabs IncMan offers a rich set of incident creation options.

There are three primary ways to create incidents in IncMan, offering flexibility to accommodate a variety of incident response process requirements and approaches.

Option 1: Automated Incident Creation

We will feature automated incident creation in a more detail in a future post. In the meantime, I will show you the location of this feature.

Select settings menu, then head to the external sources:

 

cyber incidets incman

 

You will see that under the external sources option there are 3 options available to use as sources to automate incident creation:

  1. Incoming events automation, for CEF/Syslog
  2. Incoming Mail automation, for a monitored email account
  3. Integrations, for all QIC integration components.

Automating incident creation supports a variety of filters to support a rules-based approach. In addition, it is also possible to create incidents using our SOAP API. Certified 3rd party applications use this mechanism to create incidents within IncMan, for example, Splunk.

Option 2: Manual Incident Creation

Click the incidents menu option, then click the + symbol selecting the incidents screen

 

cyber incidets incman 1

 

Fill out all mandatory fields (these can be defined in the custom fields screen) then step through and complete the incident wizard to create the incident:

 

cyber incidets incman 2

 

Once all relevant fields have been completed, click save and this incident will then appear in the incident view and apart of the queue you assigned in the details screen.

Option 3: Incident creation from source

Select an incident source for the incident you want to create, for example, a Syslog or CEF message, an Email, or a Threat intelligence source (STIX/TAXI, ThreatConnect):

 

cyber incidets incman 3

 

In this screen, you can then convert this source item to an incident, or link the source to an existing incident.

Using IncMan Dashboards and Widgets

Today, we will talk about our dashboards in IncMan. We will see how to add, delete and generally organize the dashboard widgets. IncMan widgets can display charts, graphs and tables to display and track Key Performance Indicators. IncMan supports role-based dashboards. This is a key requirement for any SOC, facilitating that the right information is available to the right person based on their role, duties, and needs. Which information is required for any individual or team will differ from organization to organization, so we support customization to create unique and dedicated dashboards for every persona.

How to use IncMan Dashboards and Widgets

Incman dashboards and widgets 1

 

This default screen displays a number of out of the box charts to get you started. But you will want to customize the dashboard with the widgets you need for your role.

1. To begin creating your unique dashboard, select “Customize” to open the menu.

 

Incman dashboards and widgets 2

 

2. The dashboard screen is split into 4 distinct parts: top, left, right and bottom. By selecting the “+” symbol, you can add an additional widget from a number of pre-defined templates. For this example, let’s add the “Incident Overview” widget:

 

Incman dashboards and widgets 3

 

3. You can change the name of the widget in the configuration screen, for example, “GDPR” or “Urgent Incidents”. You can also specify the applicable timeframe for the widget, and the refresh rate, to determine how often the widget will be updated.

4. Next, we will configure the widget filters to determine the data that the widget displays.

 

Incman dashboards and widgets 4

 

We can apply search filters to narrow down the displayed incidents. You can filter by a variety of attributes, including tags, incident priority, the Incident Response process stage, and any custom fields you have defined. Every filter that is selected will also need a corresponding value assigned to it in the values tab.

 

Incman dashboards and widgets 5

 

5. Once you’ve selected the values you want to add into the table, the final step allows you to define which columns will be displayed in the widget.

 

Incman dashboards and widgets 6

 

Enjoy!

Automated Responder Knowledge (ARK) in Action

We released our Machine Learning Engine PRISM in our most recent 4.2 release. The first capability that we developed from PRISM is our Automated Responder Knowledge (ARK). This capability will change the way incident responders and SOC analysts respond to incidents, and how they share and transfer their entire knowledge to the rest of the team. The key to this capability is that it learns from your own analyst’s responses to historical incidents to guide the response to new ones.

We are not re-inventing the wheel with this feature. SOC and Incident Response teams have been doing this the old-fashioned way for a long time – through 6-12 months training. What we’re doing is providing a GPS and Satellite Navigation, guiding the wheel and giving you different paths to choose from according to the terrain you are in.

We do this by analyzing incidents and their associated attributes and observables, to work out how closely they are related. Then we can suggest actions and playbooks based on your organizations’ historical responses to similar threats and incidents.

Automated Responder Knowledge (ARK)

Using Automated Responder Knowledge (ARK) in IncMan

Step 1: Not really a step – as it’s done automatically by Automated Responder Knowledge (ARK), but this occurs in the background for every incoming incident. Every Incident possesses a feature space1 that contains all the information related to it, composed of every attribute, associated observable and attached evidence. ARK analyses the feature spaces associated with every incident ever resolved. When a new incident is opened, it is scored and ranked and then compared by ARK to the historical model to identify related incidents or actions based on similar and shared attributes. The weighting of the ranking can be customized by analysts.

 

Automated Responder Knowledge (ARK)

 

Step 2: Open the incident, selecting the applicable incident type. To save time, you can create an incident template to prepopulate some of the contexts automatically in future.

 

Automated Responder Knowledge (ARK)

 

Step 3: Select Playbooks, and PRISM.

In the next screen, you will see a variety of suggested related actions and related incidents based on the feature space that your incident type is matched with. The slider at the top is used to determine the weighting in ranking for actions that are suggested. For example, if I move the slider to the left, the entire feature space actions appear, then if I move the slider to the far-right only a few actions appear from highly ranked incidents.

 

Automated Responder Knowledge (ARK)

 

 

Automated Responder Knowledge (ARK)

 

Step 4: Determine which automation and actions you want to use from the suggestions. After saving, you will be presented with options such as Auto-Commit, Auto-Run, Skip Enrichment, Containment, Notification or Custom Actions. You have the ability to select only the actions you want to automate. If you are concerned about running containment automatically, for example, you just deselect those options.

 

Automated Responder Knowledge (ARK)

 

Step 5: The automated actions are executed, resolving the incident, based on prior machine-learning generated automated responder knowledge.

ARK is designed to facilitate knowledge transfer from senior to junior analysts and to speed up incident response by applying machine learning to automate the knowledge gathering and analysis.

Using Queues in IncMan

In this short blog series, I will be discussing and discussing IncMan management features to demonstrate some of the power user functions in our most recent IncMan 4.2.0.1 SP release. Today we will be focusing on how to use the queues feature in IncMan. This functionality has been designed for a SOC team that manages large volumes of incidents with a flexible assignment schedule. This is typically used by SOC’s with a large amount of alerts and incidents, Managed Service Solution Providers and Managed Detect and Response Providers.

  1. Let’s begin by navigating to “General Settings” which is found in the Settings section.
    incman 1
  2. Select the section titled “Queue Settings”. Add a new queue by clicking the “+” symbol. The queue will need an email address. This will be used to email the relevant group of users when this incident type is selected.Incman 2
  3. Now create a queue name and add the required mailing list for this queue. Click save.Incman 3
  4. Navigate to the incident view to start using this queue. Select the Tree Options in the top right of the incident list.Incman 4
  5. You will see the new queue that we have created “My New Queue”, in this example. For this queue to become visible, please add it to the selected items list by clicking on “My New Queue”Incman 5
  6. The new queue will now be available for usage. See below:Incman 6
  7. When you create incidents or update your incident templates you will be able to select this new queue option, expand the queue to see the incidents assigned to it, or be able to click on the queue to show an overview of associated incidents.