Government agencies struggle with limited in-house IT security resources, budgets, and skilled security operations professionals to effectively identify and respond to the sophisticated cyber threats targeting their expanding IT attack surface.

Security automation is a force multiplier that enables them to continuously monitor, interpret, assess risk, and respond to the firehose of data generated by best-of-breed security products and threat intelligence feeds.

DFLabs has pioneered intelligence-driven Security Automation, Orchestration and Response (SOAR) technology that enables organizations to address the three main challenges security operations teams face today:

1. How to monitor and manage the sheer volume of alerts and incidents that are continuously generated
2. How to achieve visibility into acute threats and prioritize them, and
3. How to effectively accomplish this, along with remediation, with limited resources

The DFLabs IncMan platform provides a centralized, automated, intelligence-driven command and control security monitoring, automation and orchestration platform that spans the entire lifecycle of security operations including incident detection, threat investigation, and orchestration of response.

Security operations center (SOC) and computer security incident response teams (CSIRT) security analysts, forensic investigators and incident responders use IncMan to respond to, track, predict and visualise cyber security incidents.

The platform also enables security managers and CISOs to continuously oversee, manage and measure operational performance and cyber risk across every individual phase of the incident response workflow through role-based dashboards, customizable widgets, and nearly 150 KPIs and reports.

DFLabs IncMan Security Automation and Orchestration platform enables you to automate, orchestrate and measure security operations and incident response processes and tasks

DFLabs IncMan is the only platform capable of full incident lifecycle automation that includes built-in, automated, continuous threat intelligence gathering, risk assessment, triage and notification, context enrichment, hunting and investigating, and threat containment.

Additionally, DFLabs IncMan aggregates the output of third party security devices such as SIEM’s and EDR’s, and services such as Threat Intelligence and Malware Analysis to automate and orchestrate the correlation and fusion of these disparate intelligence sources.

DFLabs IncMan – Incident Response Platform acts as force multiplier – it is possible to manage more incidents in less time with fewer security analysts, and to do so in a repeatable, measurable and enforceable manner.

Threat Intelligence fusion is automated throughout the platform’s threat qualification and investigation, triage and escalation, and threat containment.

Currently supporting more than one hundred (and growing) leading third party security and threat intelligence sources, DFLabs IncMan applies machine learning to guide IT security personnel through patented, highly adaptable playbooks and accelerates the most appropriate and effective response to mitigate cyber threats.

The patented DFLabs R3 Rapid Response Runbooks automate the operationalization of threat intelligence from triage and investigation to containment using hundreds of conditional actions that allow workflows to execute a variety of data enrichment, notification, containment and custom steps based on complex, stateful and logical decision making.

R³ Rapid Response Runbooks

At the heart of IncMan is the R³ Rapid Response Runbook engine.

R³ Runbooks are created using a visual editor and support granular, stateful and conditional workflows to orchestrate and automate incident response activities such as incident triage, stakeholder notification, data and context enrichment and threat containment.

R³ Runbooks are enhanced by capabilities to empower incident responders in assessing, investigating and hunting for threats, and to gather, maintain and transfer knowledge between IR and SOC teams.

Customizable, linear and conditional runbooks

• Over 100 customizable runbooks and playbooks for individual incident types or threats and regulatory frameworks.
• Complex, stateful and conditional logical decision making to pursue a variety of alternative responses.
• 99+ out of the box automation actions
• Graphical visual editor

Full Incident Lifecycle Automation

• Triage and Notification
• Context Enrichment
• Hunting & Investigating
• Threat Containment

Dual-Mode actions

• Combine manual, semi-automated and automated actions.

DFLabs’ Runbooks are enhanced with capabilities that enable incident responders to automate and accelerate the assessment, investigation and containment of threats, and to gather, maintain and transfer knowledge between incident response (IR) and SOC teams.

DFLabs’ patent-pending Automated Responder Knowledge (ARK) module applies machine learning to historical responses to threats, and recommends relevant playbooks and courses of action to manage and mitigate threats.

Augmenting Security Analysts using Machine Learning

DFLabs patent-pending Automated Responder Knowledge (DF-ARK) module applies machine learning to historical responses to threats, and recommends relevant runbooks and paths of action to manage and mitigate them.

DF-ARK applies a supervised case-based reasoning machine learning algorithm.

1. ARK constructs a model of an organizations threat landscape based on known and historical incidents
2. ARK scores and evaluates any incident based on unique and shared indicators and attributes and their relevance to historical incidents
3. The ARK algorithm uses this model to suggest playbooks for similar and related threats
4. Threats known to the model are considered to have a greater relevance, are scored more reliably, and are assigned a greater urgency and higher priority.

ARK requires sufficient training data – it begins with no knowledge, but learns from the experience and actions of your security team, becoming more effective over time.

Deployment

IncMan is deployed as a Virtual Machine or dedicated HW appliance

• High Availability and Load Balancing
• Multitenant Architecture
• Scalable Incident Response Platform, can be integrated with NAS and SAN

DFLabs Incident Response Platform for SOC’s at a Glance

The table below highlights further benefits that IncMan offers to Security Operations Centers:

Core SOC Benefits	IncMan’s Solution
Aggregation and correlation of Security and Incident Data	Support for hundreds of 3rd party security technologies via Syslog, CEF and Email parsing 35+ certified bidirectional connectors are included for leading 3rd party security technologies such as  ActiveDirectory, Palo Alto, Cisco ThreatGrid, CrowdStrike, and Carbon Black, with many more continuously being added Database querying for MySQL, MSSQL, PostGreSQL, Microsoft Access and Oracle Custom Script execution Bidirectional SOAP API
Customizable linear playbooks and conditional runbooks	Security analysts can create a library of dedicated, customizable and granular runbooks using a graphical editor for individual threat, incident, or asset types. IncMan comes with 100+ customizable playbooks, runbooks and automation actions out of the box. Automatic correlation and re-application of playbooks across tenants in multi-user environments.
Integrated Knowledgebase module to disseminate, share and transfer knowledge from experienced to novice analysts and within the team.	IncMan has an integrated Knowledgebase Module to document playbooks, threat assessments, threat intelligence, situational awareness and best practices. Segregated and dedicated Knowledge bases can be maintained for individual business units or asset groups. Integrated Knowledgebase library includes GDPR, ISO, NIST and other regulatory frameworks.
Repeatable, enforceable, measurable & effective incident response workflows.	Playbooks support full incident phase management to measure every individual phase of the IR workflow. Mandatory steps can be enforced, ensuring that incident response is conducted in a forensically sound, legally and policy-compliant manner.
Customizable dashboards and widgets to gain immediate situational awareness of operations and threats.	Support for a huge variety of key performance indicators and metrics Visualize data with Charts, Graphs, Tables, and Meters
Generate operational performance reports with an integrated reporting engine.	Generate reports for: Operational Performance Incidents Threats Regulatory compliance Over 140 customizable KPI and Report templates.
Powerful case management	Integrated forensics capabilities Forensics and Incident Response System Analysis and Evidence Management Collaborate with diverse stakeholders Secure collaborative platform for communications, data sharing and reporting
Threat and Incident data visualization and analysis	Analysis and visualization of IoC’s and Incident Observables Automated Threat Intelligence Fusion Support for STIX, TAXII, OpenIoC, MISP and many open source and commercial TI feeds

With DFLabs, more junior staff can be empowered to manage threat containment and remediation.

DFLabs IncMan also provides an integrated Knowledgebase based on a combination of internally created and curated information annotated and updated by the internal security team, and an external, regularly updated knowledge feed that provides playbooks, advisories and best practices to deal with current threats, regulatory frameworks and common incident types.

Most recently, DFLabs has further raised the bar for security incident response and orchestration through machine-based automation that reduces the time and complexity associated with responding to, containing and eliminating cyber security threats.

The IncMan R3 Rapid Response Runbooks support “User Choice” conditions that allow more granular flow control than the traditional true/false conditions found in competitive solutions.

Furthermore, output filtering enables previous actions to be omitted based on user-defined criteria for subsequent steps.

For example, different automated decisions can now be made not only based on the presence or absence of a detection, but also based on granular risk factors including the number or severity of incidents.

Since each organization has unique automation preferences and policies, R3 Rapid Response Runbooks can flexibly apply dual-mode actions that combine manual, semi-automated and fully automated steps.

R3 Runbooks can also include conditional statements that apply full automation when it is safe to do so, but request that a human approve a decision in critical environments or where it may have a detrimental impact on operational integrity.

Using DFLabs, customers have reduced average resolution times by up to 90%, boosted operations efficiency by 80% and increased management by 300%.

Meanwhile, MSSPs can automate security monitoring and incident response services with customer-centric workflows and communication channels, and also offers a platform to deliver premium managed detection and response services.

To satisfy breach notification requirements, regulatory compliance, and implement a formalized security operations program, DFLabs’ measurable, enforceable and repeatable playbooks speed up incident and forensic investigations to comply with breach notification timelines.

DFLabs Competes in 2018 ‘ASTORS’ Homeland Security Awards Program

AST focuses on Homeland Security and Public Safety Breaking News, the Newest Initiatives and Hottest Technologies in Physical & IT Security, essential to meeting today’s growing security challenges.

The 2018 ‘ASTORS’ Homeland Security Awards Program, is organized to recognize the most distinguished vendors of Physical, IT, Port Security, Law Enforcement, Border Security, First Responders, (Fire, EMT, Military, Support Services Vets, SBA, Medical Tech) as well as the Federal, State, County and Municipal Government Agencies – to acknowledge their outstanding efforts to ‘Keep our Nation Secure, One City at a Time.’

As an ‘ASTORS’ competitor, DFLabs will be competing against the industry’s leading providers of Innovative Security Orchestration, Automation and Response (SOAR) Solutions.

To Learn More about the ‘ASTORS’ Homeland Security Awards Program, see 2017 ‘ASTORS’ Homeland Security Award Winners Honored at ISC East.

Over 100 distinguished guests from National, State and Local Governments, and Industry Leading Corporate Executives from companies allied to Government, gathered from across North America and the Middle East to be honored from disciplines across the Security Industry in their respective fields which included:

• The Department of Homeland Security
• The Department of Justice
• The Security Exchange Commission
• State and Municipal Law Enforcement Agencies
• Leaders in Private Security

Nominations are now being accepted for the 2018 ‘ASTORS’ Homeland Security Awards at https://americansecuritytoday.com/ast-awards/.

American Security Today will be holding the 2018 ‘ASTORS’ Awards Presentation Luncheon to honor Nominees, Finalists and Winners in November 2018, in New York City.

To learn more about how DFLabs IncMan Security Automation and Orchestration platform can enable you to automate, orchestrate and measure security operations and incident response processes and tasks, please visit https://www.dflabs.com/solution/incident-response-platform-soc/.

For ‘ASTORS’ Sponsorship Opportunities and More Information on the AST 2018 ‘ASTORS’ Homeland Security Awards Program, please contact Michael Madsen, AST Publisher at: mmadsen@americansecuritytoday.com or call 732.233.8119 (mobile) or 646-450-6027 (office).

DFLabs IncMan is used by a growing number of Fortune 500 and Global 2000 enterprises, government agencies, law enforcement and intelligence agencies with operations in Europe, North America and EMEA.