Partner Perspectives: IR Challenges Solved by IncMan SOAR + Cb Response

Share and earn Cybytes
Facebook Twitter LinkedIn Email

John Moran is the Senior Product Manager for DFLabs.

Cb Response is one of the most effective endpoint solutions when it comes to detecting, investigating and responding to advanced threats.  I do not say this as a marketing person (I am not), but as a former incident response consultant who utilized Cb Response on dozens of complex incident response engagements.

In most enterprises, Cb Response is just one of many solutions being used to monitor and defend the network. Network security, threat intelligence, vulnerability management, data loss prevention, forensic and SIEM solutions are commonly deployed alongside endpoint solutions, such as Cb Response, in many enterprise environments. While this plethora of solutions has provided enterprises with a holistic security approach, it has created additional challenges which must be addressed to ensure that security professionals can respond efficiently and effectively to all potential threats.

The first challenge that must be overcome is effectively handling the abundance of alerts which can result from having many separate solutions in the environment. This challenge is often compounded by a shortage of skilled analysts able to quickly triage and investigate each individual alert.

The second challenge is created by the number of different solutions in the enterprise. Each new solution increases the amount of time analysts must spend manually querying for relevant data and correlating that data into actionable intelligence.

As a former incident response consultant, I can attest that these manual processes consume a significant portion of an analysts limited time during an investigation.

In response to these challenges, many organizations have turned to Security Orchestration, Automation and Response (SOAR) solutions such as DFLabs IncMan SOAR. SOAR solutions allow enterprises to orchestrate the numerous security solutions in their environment and automate repeatable processes, serving as a force multiplier for their existing security resources, allowing them to respond more efficiently and effectively to each potential threat.

Let’s take a brief look at how Cb Response and IncMan SOAR can dramatically increase the efficiency of your security program by looking at how IncMan could automate and orchestrate the response to an alert from a Cb Response watchlist.

Our IncMan Runbook begins by querying the hash value from the watchlist alert through a threat reputation source for additional reputation information. Next, an automated decision point is reached, which determines if either the initial score from Cb Response or the results from the threat reputation source meet the criteria for further automated action.

If these thresholds are not met, a notification will be sent to the security team and the incident will be closed. If these thresholds are met, IncMan will query Cb Response for all binaries matching the hash value from the initial alert. IncMan will follow this with a query to McAfee ePO to gather additional information regarding the host which generated the initial alert.

After gathering this initial enrichment information, the user is posed with a user choice decision: Would you like to ban the hash value in Cb Response? This user choice decision pauses the automation of the runbook and allows the analyst to review the previously enriched information before determining whether to ban the hash.  Once the decision is made by the analyst, the runbook automation will continue.

Next, IncMan will pivot to network connections made by the suspicious process which generated the initial alert.  If any network connections were made, IncMan will query Cb Response for the connection details. Each IP address is then queried by IncMan through a threat reputation service. If any IP addresses have negative threat scores above a certain threshold, IncMan will automatically block the IP address using the appropriate integration for the enterprises network solution.


This is just one example of the power that Cb Response and DFLabs IncMan can bring to an enterprise’s security processes. Not only did IncMan further enrich the initial alert by using additional information from Cb Response and other solutions, IncMan was also able to pivot from the initial alert to automatically identify and block additional potential indicators. IncMan’s automated and semi-automated containment actions provide an immediate reaction based on the enterprise’s pre-defined thresholds to prevent further compromise.

This process, which could have taken an analyst minutes – or even hours – to perform manually, was conducted immediately upon receipt of the initial alert, and can be completed in under a minute. By significantly reducing risk and freeing an analyst’s time through a SOAR platform with an integrated threat hunting solution, such as Cb Response, analysts are able to focus on more complex tasks that require their attention and intervention.

To learn more about the integration between DFLabs Incman SOAR and Cb Response, visit DFLabs’ page on Carbon Black’s Partner Locator.


The post Partner Perspectives: IR Challenges Solved by IncMan SOAR + Cb Response appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?