DFLabs Looks to Improve SOAR With Open Integration Framework

DFLabs is making use of Docker containers to enable a framework that makes it easier for organizations to create new integrations for security control orchestration.

DFlabs IncMan

DFLabs announced a new version of its IncMan SOAR (Security Orchestration Automation and Response) platform on Nov. 7, providing organizations with a new open model for enabling integration with security tools.

The IncMan SOAR 4.5 release adds a new open integration framework that makes it easier for organizations to connect disparate security tools together for a more seamless security remediation workflow. The DFLabs update also improves the START Triage module that can be used to limit false positives and reduce the number of alerts that generate incidents that need to be remediated.

"The new open integration framework is really designed to change the way that we at DFLabs develop our integrations with third-party products, but also change the way that customers can interact with them," John Moran, senior product manager at DFLabs, told eWEEK.

SOAR is an emerging area of IT cyber-security that blends alerts with the automated orchestration of different security controls for incident remediation. The State of SOAR Report 2018, released on Sept. 6, found that the high volume of security alerts experienced by many organizations is driving increased demand for SOAR technologies.

One of the main differentiators between DFLabs' open integration framework and what some of the other SOAR vendors are doing is the ability to define integrations in a text-based format that works at the action level, Moran said. As such, he explained that instead of having one giant file that defines all the IncMan SOAR integrations with a specific vendor technology, DFLabs just has individual files that define each action.

How It Works

Creating integrations with different security technologies via the open integration framework is enabled via the innovative use Docker containers.

By creating an integration definition container with DFLabs' open framework and then allowing users to upload individual action files, users just code their new action in its own integration action file, without worrying about messing up anything that already exists, Moran said. By using Docker containers, it makes it very easy for users to share integrations with other customers, he added. Python, Perl, PowerShell and bash scripting are all supported options for programming the integration containers.

"So the user has the ability to specify what Docker container they would like to execute each integration in, and that allows for increased security and it allows users to use whatever third-party libraries they may need," he said.

Start Triage

The IncMan SOAR 4.5 release also benefits from a series of other features, including an expanded REST API. Additionally, the Start Triage module has been enhanced to provide organizations with new capabilities. Moran explained that a common problem for many IT organizations is they get a high volume of alerts but don't have proper scoring mechanics in place of the severity of all the incoming information.

"In the 4.5 release, we have the ability to create triage events from any log source to help weed out false positives," he said. 

Now an organization can create a rule that says, for example, if an endpoint detection and response (EDR) solution generates a syslog message with a score of 50 or greater, create an incident out of it, he said. Conversely, if the score is less than 50, the alert will move to the triage module, where a security analyst can perform additional enrichment to make a determination to see whether the alert is an actual incident or not.

Looking forward, Moran said DFLabs will continue to make its SOAR platform more open. He commented that the open integration framework is a first step in the direction of having a more open development process and community environment surrounding DFLabs overall.

"I think over the next several months, you're going to see some other announcements and some other features and products coming out to further achieve a more open community-based feel to the platform and to our services," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.