TECHNOLOGY CONVERGENCE Gartner has tracked the evolution of SOAR (Security Orchestration, Automation and Response). As this market matures, Gartner is witnessing a clear convergence among three previously relatively distinct, but small, technology markets: • Security orchestration and automation • Security incident response platforms • Threat intelligence platforms The RSA NetWitness Platform, including the evolved SIEM and threat defense offerings, is the only platform uniquely capable of delivering pervasive visibility across logs, network and endpoints. RSA NetWitness Orchestrator provides: • Native incident management and collaboration • Security orchestration and automation • Threat intelligence woven into one platform NETWITNESS ORCHESTRATOR RSA NETWITNESS PLATFORM: UP LEVEL YOUR SOC See what RSA NetWitness Orchestrator can offer. RSA NETWITNESS PLATFORM ORCHESTRATION & AUTOMATION Log-Centric SIEM Network Traffic Analysis Network Forensics Endpoint Detection & Response UEBA Threat Intelligence SOAR FUNCTIONAL COMPONENTS SOAR should include four functional components to maximize the SOC's ability to manage the lifecycle of incident and security operations: Charts/graphics created by RSA based on Gartner research. Source: Neiva, C., Lawson, C., Bussa, T., & Sadowski, G. (2017, November 30). Innovation Insight for Security Orchestration, Automation and Response (ID: G00338719). AUTOMATION INCIDENT MANAGEMENT & COLLABORATION DASHBOARDS & REPORTING End-to-end management of an incident by people How to make machines do task-oriented "human work" How different technologies (both security-specific and non-security-specific) are integrated to work together Visualizations and capabilities for collecting and reporting on metrics and other information SOAR ORCHESTRATION ORCHESTRATION AUTOMATION Case Management Analytics & Investigation Support INCIDENT MANAGEMENT & COLLABORATION Journaling & Evidentiary Support Management and Threat Intelligence DASHBOARD & REPORTING TO SEE RSA NETWITNESS ORCHESTRATOR IN ACTION Schedule a Demo Read More RSA.com/DoMore https://www.rsa.com/en-us/products/threat-detection-respoMr-siem-do-this https://information.rsa.com/demo-request.html https://information.rsa.com/demo-request.html https://www.rsa.com/en-us/products/threat-detection-response/security-automation-orchestration *Source: Neiva, C., Lawson, C., Bussa, T., & Sadowski, G. (2017, November 30). Innovation Insight for Security Orchestration, Automation and Response (ID: G00338719). Retrieved from Gartner. RSA NetWitness Orchestrator highlights an end-to-end solution that can handle varying levels of complexity across a SOC’s maturity lifecycle. Threat intelligence is becoming a significant resource for detecting, diagnosing and treating imminent or active threats. Most SOAR tools, like many others in the security market today, include various forms of threat intelligence integration for this purpose Gartner* notes in their summary of Orchestration Capabilities the following capabilities: RSA NETWITNESS ORCHESTRATOR Basic Integration Extensible network with 160+ partner integrations Feature-rich integrations Abstraction layer Multiple API calls (and growing) per integration that leverages all partner features 400+ automation scriptlets invokable across platform Logical expressions supported in CLI Many bi-directional partner integrations with both push and pull capabilities Bring your own integration as code-light option to build bespoke integrations Bi-directional integration capability Gartner* notes in their summary of Automation Capabilities the following capabilities: RSA NETWITNESS ORCHESTRATOR Process Guidance Playbooks Workflows with Multilevel Automation Playbooks to interweave automated and manual tasks Ability to create custom manual tasks and place sub-playbooks within playbooks GUI-based drag-and-drop playbook editor 40 OOTB playbooks Open playbook standards Full workflow capability Workflows can have automated and manual tasks across security product functions Gartner* notes the following capabilities for Journaling and Evidential Support RSA NETWITNESS ORCHESTRATOR User interface for Investigation Historical records Collaboration Evidence board for each incident stores key artifacts for current and future analysis Related incidents with time-based radial map of related incidents, ability to link and map duplicates Auto-documentation of playbook tasks, analyst tasks, comments, live commands in War Room War Room: analysts conduct joint investigations, interact with security bots, and other security products (ChatOps) Collaboration and granular role-based access control and management. Gartner* notes the following capabilities for Case Management RSA NETWITNESS ORCHESTRATOR Case management Capturing knowledge base from security analysts Post-closure scripts Evidence timeline to capture key incident takeaways Customizable reports per incident Library for playbooks, automation scripts Auto-documentation of all actions and comments Machine learning trains on analyst actions for insights Parent and child account privileges for automations, playbooks, incident types, reports Gartner* notes the following capabilities for Analytics Support RSA NETWITNESS ORCHESTRATOR Cross-correlation of artifacts across incidents Visual map of related incidents with ability to link and mark as duplicates Incident Investigation Basic native threat intelligence Third-party Threat Intelligence network Central indicator repository with STIX upload, auto- detection of indicators, search and query Ability to schedule threat hunting playbooks and proactive response Extensive threat intelligence partner network Orchestrate actions as playbook tasks or run commands interactively from War Room Gartner* notes the following for Dashboard and Reporting Capabilities RSA NETWITNESS ORCHESTRATOR Analyst-level Reporting SOC Director-level reporting CISO-level Reporting Number /types of incidents, open/close status Number of analysts, number of incidents per analyst Efficiency metrics: MTTR, Top performing analysts, Investment saved through automation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
TECHNOLOGY CONVERGENCEGartner has tracked the evolution of SOAR (Security Orchestration, Automation and
Response). As this market matures, Gartner is witnessing a clear convergence among three
previously relatively distinct, but small, technology markets:
• Security orchestration and automation
• Security incident response platforms
• Threat intelligence platforms
The RSA NetWitness Platform, including the evolved SIEM and threat defense offerings, is
the only platform uniquely capable of delivering pervasive visibility across logs, network
and endpoints.
RSA NetWitness Orchestrator provides:
• Native incident management and collaboration
• Security orchestration and automation
• Threat intelligence woven into one platform
NETWITNESSORCHESTRATOR
RSA NETWITNESS PLATFORM: UP LEVEL YOUR SOC See what RSA NetWitness Orchestrator can offer.
RSA NETWITNESS PLATFORM ORCHESTRATION & AUTOMATION
Log-Centric SIEM Network Traffic Analysis Network Forensics
Endpoint Detection & Response UEBA Threat Intelligence
SOAR FUNCTIONAL COMPONENTS SOAR should include four functional components to maximize the SOC's ability to manage the lifecycle of incident and security operations:
Charts/graphics created by RSA based on Gartner research.
Source: Neiva, C., Lawson, C., Bussa, T., & Sadowski, G. (2017, November 30). Innovation Insight for Security Orchestration, Automationand Response (ID: G00338719).
AUTOMATION
INCIDENT MANAGEMENT
& COLLABORATION
DASHBOARDS & REPORTING
End-to-end
management of
an incident
by people
How to make
machines do
task-oriented
"human work"
How different technologies
(both security-specific
and non-security-specific)
are integrated to
work together
Visualizations and
capabilities for collecting
and reporting on metrics
and other information
SOAR
ORCHESTRATION
ORCHESTRATION
AUTOMATION
Case Management
Analytics & Investigation Support
INCIDENT MANAGEMENT & COLLABORATIONJournaling & Evidentiary Support
Management and Threat Intelligence
DASHBOARD & REPORTING
TO SEE RSA NETWITNESS ORCHESTRATOR IN ACTION
Schedule a Demo Read More
RSA.com/DoMorehttps://www.rsa.com/en-us/products/threat-detection-respoMr-siem-do-this
https://information.rsa.com/demo-request.html
https://information.rsa.com/demo-request.html https://www.rsa.com/en-us/products/threat-detection-response/security-automation-orchestration*Source: Neiva, C., Lawson, C., Bussa, T., & Sadowski, G. (2017, November 30). Innovation Insight for Security Orchestration, Automation and Response (ID: G00338719). Retrieved from Gartner.
RSA NetWitness Orchestrator highlights an end-to-end solution that can handle varying levels of complexity across a SOC’s maturity lifecycle.
Threat intelligence is becoming a significant resource for detecting, diagnosing and treating imminent or active threats. Most SOAR tools, like many others in the security market today, include various forms of threat intelligence integration for this purpose
Gartner* notes in their summary of Orchestration Capabilities the following capabilities:
RSA NETWITNESS ORCHESTRATOR
Basic Integration
Extensible network with 160+ partner integrations
Feature-rich integrations
Abstractionlayer
Multiple API calls (and growing) per integration that leverages all partner features
400+ automation scriptlets invokable across platform
Logical expressions supported in CLI
Many bi-directional partner integrations with both push and pull capabilities
Bring your own integration as code-light option to build bespoke integrations
Bi-directional integration capability
Gartner* notes in their summary of Automation Capabilities the following capabilities:
RSA NETWITNESS ORCHESTRATOR
Process Guidance PlaybooksWorkflows with Multilevel Automation
Playbooks to
interweave automated
and manual tasks
Ability to create
custom manual tasks
and place sub-playbooks
within playbooks
GUI-based drag-and-drop
playbook editor
40 OOTB playbooks
Open playbook
standards
Full workflow capability
Workflows can have
automated and manual
tasks across security
product functions
Gartner* notes the following capabilities for Journaling and Evidential Support
RSA NETWITNESS ORCHESTRATOR
User interface for Investigation Historical records Collaboration
Evidence board for each
incident stores key
artifacts for current
and future analysis
Related incidents with
time-based radial map of
related incidents, ability
to link and map duplicates
Auto-documentation of
playbook tasks, analyst
tasks, comments, live
commands in War Room
War Room: analysts
conduct joint
investigations, interact
with security bots, and
other security products
(ChatOps)
Collaboration and granular role-based access control and management.
Gartner* notes the following capabilities for Case Management
RSA NETWITNESS ORCHESTRATOR
Case managementCapturing knowledge base from security analysts
Post-closure scripts
Evidence timeline to capture key incident takeaways
Customizable reports per incident
Library for playbooks, automation scripts
Auto-documentation of all actions and comments
Machine learning trains on analyst actions for insights
Parent and child account privileges for automations, playbooks, incident types, reports
Gartner* notes the following capabilities for Analytics Support
RSA NETWITNESS ORCHESTRATOR
Cross-correlation of artifacts across incidents
Visual map of related incidents with ability to link and mark as duplicates
Incident Investigation
Basic native threat intelligence Third-party Threat Intelligence network
Central indicator repository with STIX upload, auto- detection of indicators, search and query
Ability to schedule threat hunting playbooks and proactive response
Extensive threat intelligence partner network
Orchestrate actions as playbook tasks or run commands interactively from War Room
Gartner* notes the following for Dashboard and Reporting Capabilities
RSA NETWITNESS ORCHESTRATOR
Analyst-level Reporting SOC Director-level reporting CISO-level Reporting
Number /types of incidents, open/close status
Number of analysts, number of incidents per analyst
Efficiency metrics: MTTR, Top performing analysts, Investment saved through automation
Related Documents
