The Defensys company issued a new release of the Platform for incident response automation and SOC high efficiency Defensys SOAR v. 5.2. The new version provides users with an email communication tool and enhanced response playbooks capabilities.
One of the key Platform features is the built-in functionality of e-mail correspondence, which is implemented as a separate tab in the incident card. All messages are displayed in the familiar user form as in popular messengers. Herewith, an incident mail thread can be created either manually or automatically using response playbooks. For instance, you could set up an automatic start message requesting additional information immediately when an incident occurs. This increases the ease of communication during the incident handling process and saves time spent switching between the system interface and e-mail.
In the updated version, the Defensys company has improved response playbooks by setting up automatic handling of connector execution errors. Thereby, the Defensys SOAR users get better control over the playbook execution process. If a network failure occurs or an external system is temporarily unavailable, connectors will restart automatically without any human intervention.
Aside from that, the Defensys SOAR 5.2 introduces a new approach to configuring of automatic playbook starting.
The customer had a need to take in order internal IT & cyber security processes. So a large research across the market was made.
After the careful search Defensys ACP was preferred.
The customer has a huge infrastructure with a large number of servers, active network equipment and of course workstations.
During the project implementation several customer’s departments were involved. At the beginning, the work was established with IT department, further the cyber security department joined with their own requirements.
The main objective just from the beginning of the project was to make a single repository of assets and to put them in order there. Defensys ACP was tuned to receive data from different network segments. By working together with two Cyber security and IT departments, a lot of different types of systems were successfully integrated with the ACP system but of course there were some specific requirements during this process. For example the customer’s network has different segments that are not interconnected on a physical level. That’s why some part of data was uploaded to the system with the files integration capabilities, from custom databases and via specified questionnaires that were sent using built-in task manager of the ACP.
We recently told you about the analytical tools implemented in Defensys SENSE.
Some of them are programmatic experts – algorhytms that use statistical analysis and machine learning methods to detect anomalies and threats in users and endpoints behaviors.
Today we’re going to continue the overview of Defensys SENSE capabilities and will take a look at behavioral models that are the basis of programmatic experts. In this article we’ll tell you in details about the processes of additional learning and relearning of behavioral models and how they can help to get rid of false positives and false negatives increasing the effectiveness of working with the detected anomalies.
Behavioral models work is established on the processes of the knowledge extraction and updating related to the observation entities. This data is being processed from the event logs and this process is built on the complex mathematical models and calculations.
This helps to build observation entity profile and to detect the deviation in its behavior.
Picture 1– The process of the system’s initial learning
Among the programmatic experts there are behavioral models that use retro data for the observation entity profile building.