Full Spectrum Security Orchestration, Automation, and Response

Security Orchestration, Automation, and Response (SOAR) has quickly become a mainstay capability for organizations looking to control their digital environments. As networks have expanded, companies' attack surfaces have grown exponentially, oftentimes outpacing the implementation rate of new technology deployments. Why? Because it’s not a one-to-one calculation; for every new application, database, IoT device, server, or cloud service, an abundance of data is generated, multiple vulnerabilities may be found, and security and operations staff have longer lists of alerts to triage.

To handle network sprawl and the growing attack surface, organizations add to their arsenal of implemented security technologies. By some estimates, the average business manages 57 discrete security tools.[1] it’s no wonder, then, that over the last few years, security and operations platforms that can accomplish orchestrated tasks are desired. Sadly, there is no utopian single pane of glass, but categories like SOAR consolidate certain table stakes capabilities then offer advanced functionality that help organizations find and respond to potential incidents without extra tooling, bodies, or cost.

SOAR as a category was first created to combine security orchestration automation, incident response, and threat/vulnerability information in one platform. This consolidation has been especially useful for large, mature organizations running a security operations center (SOC), as well as managed security service providers (MSSPS). However, even smaller organizations are starting to realize the benefits of having a central capability to manage alerts, visualize threats, apply playbooks, and respond to incidents.

Identification to remediation

Many companies in the current SOAR space grew organically from their beginnings as automation or threat intelligence platforms. Dario Forte, CEO and founder at DFLabs, didn't want to build a platform for which “SOAR is a feature.” What he means by this, he told me on a recent call, is that the company's IncMan SOAR was developed based on the team’s former experience running SOCs and consulting companies. “We wanted to build something that was capable of full threat lifecycle management,” he said, “from initial data aggregation and correlation, to risk assessment, alert triage based on contextualization and prioritization, all the way through incident response and mitigation.”

IncMan is deployed as a virtual machine that bi-directionally integrates with more than 170 technology partners. Out of the box, DFLabs provides 100+ automation actions from their R3 Rapid Response Runbooks, the company’s version of a playbook, that executes workflows, notifications, and conditional security controls. Customers can also add custom playbooks, as befit their unique environments, and adjust the amount of automation as is appropriate, allowing for the intervention of a human analyst where wanted and/or needed.

A test drive

A compelling part of DFLabs’ platform is that a community edition be downloaded for free from the company’s website—no contract required. Of course, this is a form of lightweight PoC for DFLabs’ sales team, but users get the benefit of test driving the solution for up to 5 integrations in a single-tenant environment (the enterprise version includes unlimited integrations, user accounts, and incident handling and triage, and can accommodate single- or multi-tenancy). What’s more, the coding requirement for deployment is minimal, and Forte says customers can be up and running in hours, not days, weeks, or months, as may be expected with other SOAR platforms.

IncMan uses machine learning to recommend actions or controls in customer environments and for triaging and prioritizing events. This process, Forte said, “lowers the rate of false positives because we group and review all incidents before sending them to the customer dashboard. We don’t open an incident for every event; that could raise red flags in audit or compliance, and it’s not necessary. The SOC isn’t looking for more events to handle. They need to handle what’s important and what could impact their systems.” DFLabs calls this triage system “progressive automation,” meaning, lower-risk alerts don’t get bubbled up to a human analyst, but the analysts can keep track of all activities through the user interface.

Forte told me that customers especially like the number of integrations included in the platform, how quickly and easily IncMan integrates, and the automated, machine learning-driven event triage. Incident handling capabilities include investigation, containment, eradication, custom actions, recovery, and notification only, and can be based entirely on DFLabs’ pre-built playbooks or customer-driven requirements. A new user interface and additional features are in the works, too.

Choosing from a crowded category

SOAR is a crowded category and we’re likely to see more vendors enter the market as others are acquired by larger companies looking to become all-in-one providers. Potential customers should evaluate each of their short-listed SOARs based on:

  • Individual use case (e.g., threat hunting, alert management, incident triage)
  • Integration capabilities with existing solutions (e.g., SIEM), and how easy it is to achieve those integrations (i.e., simple or pre-built API)
  • If the platform supports non-cyber uses cases like fraud and compliance
  • The ability of internal analysts (or an MSSP) to manage the platform, and the level of skill required
  • Deployment options (i.e., on-premises, in the cloud)
  • Whether the platform demonstrably reduces the burden on your SOC while increasing efficacy

DFLabs appears to tick all the boxes and is thinking aggressively about their product roadmap. If you want or need to consolidate capabilities and enable progressive automation for improved incident identification-through-response, give the team at DFLabs a call. Or better yet, download their community version and give it a try on your own terms.