see what rsa netwitness orchestrator can offer · innovation insight for security orchestration,...
TRANSCRIPT
TECHNOLOGY CONVERGENCEGartner has tracked the evolution of SOAR (Security Orchestration, Automation and
Response). As this market matures, Gartner is witnessing a clear convergence among three
previously relatively distinct, but small, technology markets:
• Security orchestration and automation
• Security incident response platforms
• Threat intelligence platforms
The RSA NetWitness Platform, including the evolved SIEM and threat defense offerings, is
the only platform uniquely capable of delivering pervasive visibility across logs, network
and endpoints.
RSA NetWitness Orchestrator provides:
• Native incident management and collaboration
• Security orchestration and automation
• Threat intelligence woven into one platform
NETWITNESSORCHESTRATOR
RSA NETWITNESS PLATFORM: UP LEVEL YOUR SOC See what RSA NetWitness Orchestrator can offer.
RSA NETWITNESS PLATFORM ORCHESTRATION & AUTOMATION
Log-Centric SIEM Network Traffic Analysis Network Forensics
Endpoint Detection & Response UEBA Threat Intelligence
SOAR FUNCTIONAL COMPONENTS SOAR should include four functional components to maximize the SOC's ability to manage the lifecycle of incident and security operations:
Charts/graphics created by RSA based on Gartner research.
Source: Neiva, C., Lawson, C., Bussa, T., & Sadowski, G. (2017, November 30). Innovation Insight for Security Orchestration, Automationand Response (ID: G00338719).
AUTOMATION
INCIDENT MANAGEMENT
& COLLABORATION
DASHBOARDS & REPORTING
End-to-end
management of
an incident
by people
How to make
machines do
task-oriented
"human work"
How different technologies
(both security-specific
and non-security-specific)
are integrated to
work together
Visualizations and
capabilities for collecting
and reporting on metrics
and other information
SOAR
ORCHESTRATION
ORCHESTRATION
AUTOMATION
Case Management
Analytics & Investigation Support
INCIDENT MANAGEMENT & COLLABORATIONJournaling & Evidentiary Support
Management and Threat Intelligence
DASHBOARD & REPORTING
TO SEE RSA NETWITNESS ORCHESTRATOR IN ACTION
Schedule a Demo Read More
RSA.com/DoMorehttps://www.rsa.com/en-us/products/threat-detection-respoMr-siem-do-this
https://information.rsa.com/demo-request.html
https://information.rsa.com/demo-request.html https://www.rsa.com/en-us/products/threat-detection-response/security-automation-orchestration*Source: Neiva, C., Lawson, C., Bussa, T., & Sadowski, G. (2017, November 30). Innovation Insight for Security Orchestration, Automation and Response (ID: G00338719). Retrieved from Gartner.
RSA NetWitness Orchestrator highlights an end-to-end solution that can handle varying levels of complexity across a SOC’s maturity lifecycle.
Threat intelligence is becoming a significant resource for detecting, diagnosing and treating imminent or active threats. Most SOAR tools, like many others in the security market today, include various forms of threat intelligence integration for this purpose
Gartner* notes in their summary of Orchestration Capabilities the following capabilities:
RSA NETWITNESS ORCHESTRATOR
Basic Integration
Extensible network with 160+ partner integrations
Feature-rich integrations
Abstractionlayer
Multiple API calls (and growing) per integration that leverages all partner features
400+ automation scriptlets invokable across platform
Logical expressions supported in CLI
Many bi-directional partner integrations with both push and pull capabilities
Bring your own integration as code-light option to build bespoke integrations
Bi-directional integration capability
Gartner* notes in their summary of Automation Capabilities the following capabilities:
RSA NETWITNESS ORCHESTRATOR
Process Guidance PlaybooksWorkflows with Multilevel Automation
Playbooks to
interweave automated
and manual tasks
Ability to create
custom manual tasks
and place sub-playbooks
within playbooks
GUI-based drag-and-drop
playbook editor
40 OOTB playbooks
Open playbook
standards
Full workflow capability
Workflows can have
automated and manual
tasks across security
product functions
Gartner* notes the following capabilities for Journaling and Evidential Support
RSA NETWITNESS ORCHESTRATOR
User interface for Investigation Historical records Collaboration
Evidence board for each
incident stores key
artifacts for current
and future analysis
Related incidents with
time-based radial map of
related incidents, ability
to link and map duplicates
Auto-documentation of
playbook tasks, analyst
tasks, comments, live
commands in War Room
War Room: analysts
conduct joint
investigations, interact
with security bots, and
other security products
(ChatOps)
Collaboration and granular role-based access control and management.
Gartner* notes the following capabilities for Case Management
RSA NETWITNESS ORCHESTRATOR
Case managementCapturing knowledge base from security analysts
Post-closure scripts
Evidence timeline to capture key incident takeaways
Customizable reports per incident
Library for playbooks, automation scripts
Auto-documentation of all actions and comments
Machine learning trains on analyst actions for insights
Parent and child account privileges for automations, playbooks, incident types, reports
Gartner* notes the following capabilities for Analytics Support
RSA NETWITNESS ORCHESTRATOR
Cross-correlation of artifacts across incidents
Visual map of related incidents with ability to link and mark as duplicates
Incident Investigation
Basic native threat intelligence Third-party Threat Intelligence network
Central indicator repository with STIX upload, auto- detection of indicators, search and query
Ability to schedule threat hunting playbooks and proactive response
Extensive threat intelligence partner network
Orchestrate actions as playbook tasks or run commands interactively from War Room
Gartner* notes the following for Dashboard and Reporting Capabilities
RSA NETWITNESS ORCHESTRATOR
Analyst-level Reporting SOC Director-level reporting CISO-level Reporting
Number /types of incidents, open/close status
Number of analysts, number of incidents per analyst
Efficiency metrics: MTTR, Top performing analysts, Investment saved through automation