DFLabs, provider of security orchestration, automation, and response (SOAR) technology, is introducing a new version of the IncMan SOAR platform that uses automated event triage to dramatically reduce the number of security incidents generated from alerts.
The capability, called START (Simple Triage And Rapid Treatment) Triage, is being used in production by a major European bank to eliminate manual first line assessment of suspected fraudulent online transactions. IncMan SOAR has reduced triage time by 90% for cyber fraud events generated by its mainframe and other external systems.
Traditionally, every security alert received by a SOAR platform generates an incident, which must be investigated. This process can lead to an overwhelming number of security incidents, sometimes created because of false positive alerts, that must be addressed by overworked security operations center (SOC) staff.
To reduce the number of security incidents generated by false positives, the new version of IncMan SOAR can ingest alerts from any source via a new API for triage to determine whether they should be converted to an incident or discarded.
The START Triage event queue, which is separate from the incident queue, uses the full automation, orchestration and machine learning power of IncMan SOAR’s R3 Rapid Response Runbooks to enrich event information. This allows IncMan SOAR to quickly make a determination regarding the reliability of an alert and whether it merits being turned into a security incident.
“Not every alert deserves to become and be processed as a security incident, yet that is how SOAR products currently operate. The new release of IncMan SOAR is breaking this cycle,” said Michele Zambelli, CTO of DFLabs. “By applying our automation engine, enrichment and containment capabilities to events using a triage process, we can dramatically reduce the number that are turned into incidents, and placed into the queue for deeper assessment by IncMan and security analysts.”
IncMan SOAR 4.4 includes several new bidirectional integrations from a variety of product categories including SIEM, network defense, endpoint protection and threat intelligence, that broaden its orchestration and automation capabilities.
In addition, new enhancements made to IncMan SOAR R3 Rapid Response Runbooks allow one R3 Runbook to call other R3 Runbooks.