IncMan – Incident Response Platform for Security Operations Center

DFLabs IncMan Incident Response Platform for SOC is a purpose-built platform designed to manage and orchestrate Security Operations.

DFLabs IncMan’s library of customizable runbooks orchestrate and automate the response to threat and incident scenarios such as malware, data loss or regulatory breach notification. The solution supports incident responders in assessing, investigating and hunting for threats, and to gather, maintain and transfer knowledge within the Security Operations Center team.

DFLabs IncMan – Incident Response Platform acts as force multiplier – it is possible to manage more incidents in less time with fewer security analysts, and to do so in a repeatable, measurable and enforceable manner.

R³ Rapid Response Runbooks

At the heart of IncMan is the R³ Rapid Response Runbook engine. R³ Runbooks are created using a visual editor and support granular, stateful and conditional workflows to orchestrate and automate incident response activities such as incident triage, stakeholder notification, data and context enrichment and threat containment. R³ Runbooks are enhanced by capabilities to empower incident responders in assessing, investigating and hunting for threats, and to gather, maintain and transfer knowledge between IR and SOC teams.

• Customizable, Linear and Conditional Runbooks
  • Over 100 customizable runbooks and playbooks for individual incident types or threats and regulatory frameworks
  • Complex, stateful and conditional logical decision making to pursue a variety of alternative responses
  • 99+ out of the box automation actions
  • Graphical visual editor

• Full Incident Lifecycle Automation
  • Triage and Notification
  • Context Enrichment
  • Hunting and Investigating
  • Threat Containment

• Dual-Mode Actions
  • Combine manual, semi-automated and automated actions

Augmenting Security Analysts using Machine Learning

DFLabs patent-pending Automated Responder Knowledge (DF-ARK) module applies machine learning to historical responses to threats, and recommends relevant runbooks and paths of action to manage and mitigate them. DF-ARK applies a supervised case-based reasoning machine learning algorithm.

1. ARK constructs a model of an organizations threat landscape based on known and historical incidents
2. ARK scores and evaluates any incident based on unique and shared indicators and attributes and their relevance to historical incidents
3. The ARK algorithm uses this model to suggest playbooks for similar and related threats
4. Threats known to the model are considered to have a greater relevance, are scored more reliably, and are assigned a greater urgency and higher priority

ARK requires sufficient training data – it begins with no knowledge, but learns from the experience and actions of your security team, becoming more effective over time.

DFLabs Incident Response Platform for SOC’s at a Glance

The table below highlights further benefits that IncMan offers to Security Operations Centers:

Core SOC Benefits	IncMan’s Solution
Aggregation and correlation of security and incident data	Support for hundreds of 3rd party security technologies via Syslog, CEF and Email parsing 45+ certified bidirectional connectors are included for leading 3rd party security technologies such as  ActiveDirectory, Palo Alto, Cisco ThreatGrid, CrowdStrike, and Carbon Black, with many more continuously being added Database querying for MySQL, MSSQL, PostGreSQL, Microsoft Access and Oracle Custom Script execution Bidirectional SOAP API
Customizable linear playbooks and conditional runbooks	Security analysts can create a library of dedicated, customizable and granular runbooks using a graphical editor for individual threat, incident, or asset types IncMan comes with 100+ customizable playbooks, runbooks and automation actions out of the box Automatic correlation and re-application of playbooks across tenants in multi-user environments
Integrated Knowledgebase module to disseminate, share and transfer knowledge from experienced to novice analysts and within the team	IncMan has an integrated Knowledgebase Module to document playbooks, threat assessments, threat intelligence, situational awareness and best practices Segregated and dedicated Knowledge bases can be maintained for individual business units or asset groups Integrated Knowledgebase library includes GDPR, ISO, NIST and other regulatory frameworks
Repeatable, enforceable, measurable & effective incident response workflows	Playbooks support full incident phase management to measure every individual phase of the IR workflow Mandatory steps can be enforced, ensuring that incident response is conducted in a forensically sound, legally and policy-compliant manner
Customizable dashboards and widgets to gain immediate situational awareness of operations and threats	Support for a huge variety of key performance indicators and metrics Visualize data with charts, graphs, tables, and meters
Generate operational performance reports with an integrated reporting engine	Generate reports for: Operational performance Incidents Threats Regulatory compliance Over 140 customizable KPI and report templates
Powerful case management	Integrated forensics capabilities Forensics and incident response system analysis and Evidence management Collaborate with diverse stakeholders Secure collaborative platform for communications, data sharing and reporting
Threat and incident data visualization and analysis	Analysis and visualization of IoC’s and incident observables Automated threat intelligence fusion Support for STIX, TAXII, OpenIoC, MISP and many open source and commercial TI feeds

Deployment

IncMan is deployed as a Virtual Machine or dedicated HW appliance

• High availability and load balancing
• Multitenant architecture
• Scalable incident response platform, can be integrated with NAS and SAN