SOAR vendor DFLabs unveils platform optimized for MSSPs

While DFLabs’ platform already supported multi-tenancy, it has added the ability to manage large numbers of divergent third-party devices at customer sites with vendor-agnostic runbooks in this new optimization for MSSP and Managed Detection and Response providers.

Today at the RSA Conference, security automation, orchestration and response [SOAR] vendor DFLabs is announcing a version of its IncMan SOAR platform that is specifically designed for the needs of MSSPs and Managed Detection and Response [MDR] service providers who provide a complete set of incident response capabilities. The key addition is the ability to centrally perform one-to-many operations across multiple customer environments, regardless of the number of security products deployed at each location.

DFLabs’ IncMan SOAR platform automates and orchestrates security operations and incident response tasks, including threat qualification, triage and escalation, hunting and investigation, and containment. It was initially sold to end-user customers with SOCs [Security Operations Centres] and CSIRTs [Computer Security Incident Response Teams]. Not surprisingly, this meant that their customers were enterprises large enough to support such teams. Now, however, they are looking to expand their presence downmarket as well.

Dario Forte, DFLabs’ Founder and CEO

“We have targeted the Fortune 500 through the Global 5000,” said Dario Forte, DFLabs’ Founder and CEO. “We know, however, that to become the de facto independent platform leader in the SOAR space, we need to reach as many customers as we can – including companies that do not have SOCs.”

MSSPs and MDR providers are the easiest and most efficient way to do that, with the issue being that DFLabs had not worked much with this kind of partner in the past.

“MSSPs are a smaller proportion of our base, something which is common across the SOAR platforms,” said John Moran, Senior Product Manager at DFLabs. “SOARs initially were designed for single tenant environments, and it’s a lot bigger endeavour for an MSSP to overhaul or change platforms.”

More recently however, with the growth of SOARs, MSSPs have been showing more interest in them.

“25 per cent of our pipeline is now MSSPs and MDRs,” Forte said. “Europe and the Middle East were the first to show this trend, but the U.S. is now growing sequentially after these other regions. We are making this announcement because we expect a dramatic increase in adoption by MSSPs, that will increase our capabilities of reaching the smaller customer.”

DFLabs has offered multi-tenancy capabilities for some time, but an issue has MSSPs have faced with their platform until now has been the large number of third-party security products they now have to support in customer environments.

“They can have to interact with many different technologies and this has required them doing a number of things manually,” Moran said. “What this new version of the platform does is build on the multi-tenancy that we already offered in order to allow MSSPs to work smarter.  They asked us how we could streamline what we already had, and our new – vendor-agnostic Runbooks came from their feedback.”

These Runbooks allow MSSPs to execute a single action, like blocking a malicious IP address, across any number of client technologies such as blocking a malicious IP address, while providing each customer the ability to maintain control over what actions are allowed, for both management efficiency and regulatory compliance reasons.

“We are the only SOAR vendor that is approaching the MSSP use case in this way, with vendor-agnostic runbooks which helps them be very quick in providing value,” Forte said. “As a result, we expect a strong increase in the number of partners because of this new release. For MSSPs, the overall skills shortage in the industry is multiplied by the number of customers that they have, so this kind of automation and orchestration is even more valuable in a multi-customer environment. It complements our status as the most open SOAR architecture in the market. We make this open integration framework with almost no coding experience required, so partners can create additional revenue streams and be very quick in developing new integrations.”

The new version of DFLabs IncMan SOAR is scheduled to become available worldwide in Q2.