Enhanced automation, bidirectional integrations highlight DFLabs 4.3 version of IncMan SOAR platform

DFLabs is moving to an all-channel model from a hybrid one, and the enhancements – all requested by customers – will make it easier for partners to sell the platform.

IncMan 4.3

Security automation and orchestration provider DFLabs has announced the 4.3 version of their IncMan Security Orchestration, Automation and Response [SOAR] platform. It provides for more customization of workflows, giving users the ability to add more human interaction to IncMan’s Rapid Response Runbooks. It adds seven new bidirectional third-party integrations. It also makes some significant enhancements to the dashboards.

The SOAR space is a newly-defined one, and represents the further development of what Gartner originally called the SOA space.

“Gartner has finally decided to define the SOAR space which is great for us,” said John Moran, Senior Product Manager at DFLabs. “Defining it is also great for the industry.” DFLabs was recognized as a Representative Vendor by Gartner in their November 2017 Innovation Insight for Security Orchestration, Automation and Response, which introduced the category.

“They don’t have a magic quadrant for SOAR vendors yet, but we expect one in the next year or so,” Moran said. “It’s a huge growth area. Gartner says one per cent of large enterprises are using it now, but it will be up to around 15 per cent by the end of 2020.”

DFLabs IncMan SOAR platform is designed for enterprise SOCs and MSSPs, and automates and orchestrates security operations and incident response tasks, from many different solutions.

“The heart of the platform is to be a force multiplier for security teams,” Moran said. “Many tools generate alerts and take on different tasks. These are traditionally different processes. One of the main problems we solve is taking these platforms to bring them together and let enterprises organize them all into one coherent security solution.”

The 4.3 release enhances automation in two different ways: by ingesting information from new bidirectional integrations with additional security platforms; and by implementing dual mode orchestration to provide more flexibility and more granular flow control.

“Dual mode orchestration was implemented to address customer concerns about false positives stemming from automation,” Moran explained. “IncMan R3 Rapid Response Runbooks are one of the core ways we implement automation and orchestration. They work very much like a flowchart of actions and notifications, and the power of Runbooks comes from their ability to ingest alerts from broad sources and configure IncMan to generate alerts. What we are adding is the ability to add ‘User Choice’ conditions so the user can allow human input at any time. For instance, you can allow IncMan to always make a decision to do things like block an IP address, or depending on the number and severity of detections, can set it to allow human input. The ‘User Choice’ feature allows Runbook to run automatically, but if it hits a set decision point it will stop there, and a human can choose which path to take manually. It gives the user some additional feelings of comfort and provides them with more flexibility.”

The seven new bidirectional integrations are with vendors Recorded Future, Jira, Carbon Black Defense, Microfocus. HPE, Tufin and Cuckoo Sandbox. They bring the number of IncMan integrations up to approximately 35.

“These integrations have all been designed to add value to customers by integrating with the whole spectrum of security products,” Moran said. “We aren’t adding new ones just to add more integrations, to say that we can support 20 different firewalls. It’s especially important that the integrations complement each other across different areas like endpoint security, issue tracking and ticketing systems. That’s what brings the power to the solution.”

Moran indicated that dashboard improvements were the third major area of improvement in 4.3.

“We’ve had quite a bit of an overhaul here,” he said. “We added more widgets to the ones we already had, and added new ways to customize them to show the information the customer thinks is valuable. One neat thing in my opinion is a new ability to scroll the dashboard. That’s valuable in a SOC or MSP where you have a lot of things, and it helps to be able to scroll for many screens.”

DFLabs has been transitioning from a hybrid selling model to an all-channel one, and introduced their first channel program last fall.

“We have 20 plus partners now, and the program has been very successful,” Moran said. “The new features in 4.3 will further help support the partners because they will make the platform a lot easier for the partners to sell. The enhancements are all things that customers have asked for, and they are things where they can immediately see value.”

The new version of DFLabs IncMan is available immediately on AWS, CentOS and RedHat7.