TECHNOLOGY CONVERGENCE Gartner has tracked the evolution of SOAR (Security Orchestration, Automation and Response). As this market matures, Gartner is witnessing a clear convergence among three previously relatively distinct, but small, technology markets: • Security orchestration and automation • Security incident response platforms • Threat intelligence platforms The RSA NetWitness Platform, including the evolved SIEM and threat defense offerings, is the only platform uniquely capable of delivering pervasive visibility across logs, network and endpoints. RSA NetWitness Orchestrator provides: • Native incident management and collaboration • Security orchestration and automation • Threat intelligence woven into one platform NETWITNESS ORCHESTRATOR RSA NETWITNESS PLATFORM: UP LEVEL YOUR SOC See what RSA NetWitness Orchestrator can offer. RSA NETWITNESS PLATFORM ORCHESTRATION & AUTOMATION Log-Centric SIEM Network Traffic Analysis Network Forensics Endpoint Detection & Response UEBA Threat Intelligence SOAR FUNCTIONAL COMPONENTS SOAR should include four functional components to maximize the SOC's ability to manage the lifecycle of incident and security operations: Charts/graphics created by RSA based on Gartner research. Source: Neiva, C., Lawson, C., Bussa, T., & Sadowski, G. (2017, November 30). Innovation Insight for Security Orchestration, Automation and Response (ID: G00338719). AUTOMATION INCIDENT MANAGEMENT & COLLABORATION DASHBOARDS & REPORTING End-to-end management of an incident by people How to make machines do task-oriented "human work" How different technologies (both security-specific and non-security-specific) are integrated to work together Visualizations and capabilities for collecting and reporting on metrics and other information SOAR ORCHESTRATION ORCHESTRATION AUTOMATION Case Management Analytics & Investigation Support INCIDENT MANAGEMENT & COLLABORATION Journaling & Evidentiary Support Management and Threat Intelligence DASHBOARD & REPORTING TO SEE RSA NETWITNESS ORCHESTRATOR IN ACTION Schedule a Demo Read More RSA.com/DoMore https://www.rsa.com/en-us/products/threat-detection-respoMr-siem-do-this https://information.rsa.com/demo-request.html https://information.rsa.com/demo-request.html https://www.rsa.com/en-us/products/threat-detection-response/security-automation-orchestration *Source: Neiva, C., Lawson, C., Bussa, T., & Sadowski, G. (2017, November 30). Innovation Insight for Security Orchestration, Automation and Response (ID: G00338719). Retrieved from Gartner. RSA NetWitness Orchestrator highlights an end-to-end solution that can handle varying levels of complexity across a SOC’s maturity lifecycle. Threat intelligence is becoming a significant resource for detecting, diagnosing and treating imminent or active threats. Most SOAR tools, like many others in the security market today, include various forms of threat intelligence integration for this purpose Gartner* notes in their summary of Orchestration Capabilities the following capabilities: RSA NETWITNESS ORCHESTRATOR Basic Integration Extensible network with 160+ partner integrations Feature-rich integrations Abstraction layer Multiple API calls (and growing) per integration that leverages all partner features 400+ automation scriptlets invokable across platform Logical expressions supported in CLI Many bi-directional partner integrations with both push and pull capabilities Bring your own integration as code-light option to build bespoke integrations Bi-directional integration capability Gartner* notes in their summary of Automation Capabilities the following capabilities: RSA NETWITNESS ORCHESTRATOR Process Guidance Playbooks Workflows with Multilevel Automation Playbooks to interweave automated and manual tasks Ability to create custom manual tasks and place sub-playbooks within playbooks GUI-based drag-and-drop playbook editor 40 OOTB playbooks Open playbook standards Full workflow capability Workflows can have automated and manual tasks across security product functions Gartner* notes the following capabilities for Journaling and Evidential Support RSA NETWITNESS ORCHESTRATOR User interface for Investigation Historical records Collaboration Evidence board for each incident stores key artifacts for current and future analysis Related incidents with time-based radial map of related incidents, ability to link and map duplicates Auto-documentation of playbook tasks, analyst tasks, comments, live commands in War Room War Room: analysts conduct joint investigations, interact with security bots, and other security products (ChatOps) Collaboration and granular role-based access control and management. Gartner* notes the following capabilities for Case Management RSA NETWITNESS ORCHESTRATOR Case management Capturing knowledge base from security analysts Post-closure scripts Evidence timeline to capture key incident takeaways Customizable reports per incident Library for playbooks, automation scripts Auto-documentation of all actions and comments Machine learning trains on analyst actions for insights Parent and child account privileges for automations, playbooks, incident types, reports Gartner* notes the following capabilities for Analytics Support RSA NETWITNESS ORCHESTRATOR Cross-correlation of artifacts across incidents Visual map of related incidents with ability to link and mark as duplicates Incident Investigation Basic native threat intelligence Third-party Threat Intelligence network Central indicator repository with STIX upload, auto- detection of indicators, search and query Ability to schedule threat hunting playbooks and proactive response Extensive threat intelligence partner network Orchestrate actions as playbook tasks or run commands interactively from War Room Gartner* notes the following for Dashboard and Reporting Capabilities RSA NETWITNESS ORCHESTRATOR Analyst-level Reporting SOC Director-level reporting CISO-level Reporting Number /types of incidents, open/close status Number of analysts, number of incidents per analyst Efficiency metrics: MTTR, Top performing analysts, Investment saved through automation