see what rsa netwitness orchestrator can offer · innovation insight for security orchestration,...

TECHNOLOGY CONVERGENCEGartner has tracked the evolution of SOAR (Security Orchestration, Automation and

Response). As this market matures, Gartner is witnessing a clear convergence among three

previously relatively distinct, but small, technology markets:

• Security orchestration and automation

• Security incident response platforms

• Threat intelligence platforms

The RSA NetWitness Platform, including the evolved SIEM and threat defense offerings, is

the only platform uniquely capable of delivering pervasive visibility across logs, network

and endpoints.

RSA NetWitness Orchestrator provides:

• Native incident management and collaboration

• Security orchestration and automation

• Threat intelligence woven into one platform

NETWITNESSORCHESTRATOR

RSA NETWITNESS PLATFORM: UP LEVEL YOUR SOC See what RSA NetWitness Orchestrator can offer.

RSA NETWITNESS PLATFORM ORCHESTRATION & AUTOMATION

Log-Centric SIEM Network Traffic Analysis Network Forensics

Endpoint Detection & Response UEBA Threat Intelligence

SOAR FUNCTIONAL COMPONENTS SOAR should include four functional components to maximize the SOC's ability to manage the lifecycle of incident and security operations:

Charts/graphics created by RSA based on Gartner research.

Source: Neiva, C., Lawson, C., Bussa, T., & Sadowski, G. (2017, November 30). Innovation Insight for Security Orchestration, Automationand Response (ID: G00338719).

AUTOMATION

INCIDENT MANAGEMENT

& COLLABORATION

DASHBOARDS & REPORTING

End-to-end

management of

an incident

by people

 How to make

machines do

task-oriented

"human work"

How different technologies

(both security-specific

and non-security-specific)

are integrated to

work together

Visualizations and

capabilities for collecting

and reporting on metrics

and other information

SOAR

ORCHESTRATION

ORCHESTRATION

AUTOMATION

Case Management

Analytics & Investigation Support

INCIDENT MANAGEMENT & COLLABORATIONJournaling & Evidentiary Support

Management and Threat Intelligence

DASHBOARD & REPORTING

TO SEE RSA NETWITNESS ORCHESTRATOR IN ACTION

Schedule a Demo Read More

RSA.com/DoMorehttps://www.rsa.com/en-us/products/threat-detection-respoMr-siem-do-this

https://information.rsa.com/demo-request.html

https://information.rsa.com/demo-request.html https://www.rsa.com/en-us/products/threat-detection-response/security-automation-orchestration*Source: Neiva, C., Lawson, C., Bussa, T., & Sadowski, G. (2017, November 30). Innovation Insight for Security Orchestration, Automation and Response (ID: G00338719). Retrieved from Gartner.

RSA NetWitness Orchestrator highlights an end-to-end solution that can handle varying levels of complexity across a SOC’s maturity lifecycle.

Threat intelligence is becoming a significant resource for detecting, diagnosing and treating imminent or active threats. Most SOAR tools, like many others in the security market today, include various forms of threat intelligence integration for this purpose

Gartner* notes in their summary of Orchestration Capabilities the following capabilities:

RSA NETWITNESS ORCHESTRATOR

Basic Integration

Extensible network with 160+ partner integrations

Feature-rich integrations

Abstractionlayer

Multiple API calls (and growing) per integration that leverages all partner features

400+ automation scriptlets invokable across platform

Logical expressions supported in CLI

Many bi-directional partner integrations with both push and pull capabilities

Bring your own integration as code-light option to build bespoke integrations

Bi-directional integration capability

Gartner* notes in their summary of Automation Capabilities the following capabilities:

RSA NETWITNESS ORCHESTRATOR

Process Guidance PlaybooksWorkflows with Multilevel Automation

Playbooks to

interweave automated

and manual tasks

Ability to create

custom manual tasks

and place sub-playbooks

within playbooks

GUI-based drag-and-drop

playbook editor

40 OOTB playbooks

Open playbook

standards

Full workflow capability

Workflows can have

automated and manual

tasks across security

product functions

Gartner* notes the following capabilities for Journaling and Evidential Support

RSA NETWITNESS ORCHESTRATOR

User interface for Investigation Historical records Collaboration

Evidence board for each

incident stores key

artifacts for current

and future analysis

Related incidents with

time-based radial map of

related incidents, ability

to link and map duplicates

Auto-documentation of

playbook tasks, analyst

tasks, comments, live

commands in War Room

War Room: analysts

conduct joint

investigations, interact

with security bots, and

other security products

(ChatOps)

Collaboration and granular role-based access control and management.

Gartner* notes the following capabilities for Case Management

RSA NETWITNESS ORCHESTRATOR

Case managementCapturing knowledge base from security analysts

Post-closure scripts

Evidence timeline to capture key incident takeaways

Customizable reports per incident

Library for playbooks, automation scripts

Auto-documentation of all actions and comments

Machine learning trains on analyst actions for insights

Parent and child account privileges for automations, playbooks, incident types, reports

Gartner* notes the following capabilities for Analytics Support

RSA NETWITNESS ORCHESTRATOR

Cross-correlation of artifacts across incidents

Visual map of related incidents with ability to link and mark as duplicates

Incident Investigation

Basic native threat intelligence Third-party Threat Intelligence network

Central indicator repository with STIX upload, auto- detection of indicators, search and query

Ability to schedule threat hunting playbooks and proactive response

Extensive threat intelligence partner network

Orchestrate actions as playbook tasks or run commands interactively from War Room

Gartner* notes the following for Dashboard and Reporting Capabilities

RSA NETWITNESS ORCHESTRATOR

Analyst-level Reporting SOC Director-level reporting CISO-level Reporting

Number /types of incidents, open/close status

Number of analysts, number of incidents per analyst

Efficiency metrics: MTTR, Top performing analysts, Investment saved through automation