SOAR

Trusted Automation and Orchestration of Response Through Risk-Driven Prioritization
.

BUSINESS CHALLENGE

Network and defense analysts are facing increasing numbers of security alerts and, as a result of fielding those alerts, burnout. Dark Reading reported that the average security operations center (SOC) receives 10,000 alerts each day from layer upon layer of monitoring and detection products. While the cyber threat landscape is marked by an upward trending number of actors, network and defense analysts must also contend with ever-increasing numbers of false positives (sometimes at rates as high as 80 percent). Due to resource constraints on already overwhelmed analysts, many alerts are ignored, and, according to a recent report, less than 10 percent of alerts are actively investigated.

.

CRITICAL CAPABILITIES

  • Automate and Orchestrate Responses Based on Risk
    Gurucul enterprise-risk engine generates risk scores are applied to both individual response actions as well as with the overall playbook generated to give customers the confidence to seamlessly automate highly-targeted remediation actions with the goal of ensuring maximum availability.
  • Customize Incident Response Playbooks
    Gurucul SOAR includes hundreds of  dynamic playbooks that adapted to the customer’s environment based on our analytics, trained machine learning (ML), and risk engine to ensure a high-fidelity prioritized set of responses that minimizes disruption. Our customers can even customize existing or create their own playbooks using Gurucul Studio.
  • Deploy Configurable Workflows
    Responses and remediation can be automated through the organization’s IT/security stack – ticketing, authentication systems, network, system, and endpoint defenses. Automated reactions are tailored to risk and can range from simply submitting a ticket, to completely isolating and quarantining the risky entity, whether they are a user, a host, a system, or other asset in the environment.
  • Automate Even Faster with Included Case Management
    If needed, Gurucul includes a comprehensive case management capability that leverages automated incident timelines that create smart links of the entire attack lifecycle for pre- and post-incident analysis, grouping alerts from related transactions into a single case. Cases can be reassigned, closed as risk accepted, or sent for model review feedback. Case management has RBAC and privacy capabilities allowing cross-functional teams to collaborate easily.
  • Leverage 3rd Party Integrations
    Gurucul provides seamless integration with hundreds of downstream security solutions out-of-the-box. This lets the SOAR trigger appropriate risk remediation actions on-premises or in the cloud using your existing security solutions. Gurucul also supports integration with a huge number of third-party tools to facilitate end-to-end incident management.
.

KEY BENEFITS

Increase efficiency and significantly reduce incident response times for the Security Operations Team:

  • Prioritize response actions automatically tailored to your specific environment or through fully customizable playbooks
  • Create high-fidelity targeted response that minimizes disruption to IT operations
  • Automate gathering relevant context and analysis for validation
  • Leverage included contextual case management or integrate seamlessly with existing case management
  • Enhance collaboration across your organization to remediate threats through shared context and concise recommended responses
.

WHY GURUCUL?

No other vendor offers a risk-driven approach to SOAR. Gurucul leverages its enterprise risk scoring engine to codify and risk-rank threats from 1 to 100.

Gurucul generates this unified risk score for every user and entity for which anomalies are triggered. The risk scores along with anomaly metadata like resource and event are then used to trigger appropriate remediation action per the response playbook.

In addition, Gurucul supports API based integration with preventative security solutions to block, disable or isolate risky users and entities to minimize the risk.

.

TOP USE CASES

Advanced Threat Detection and Response

Contextual Threat Hunting

Gathering contextual information across security and non-security telemetry and matching that data against indicators of compromise (IoCs) is critical for being able to formulate an active response. However, this is typically a manual process, especially when traditional SIEMs and other XDRs, unlike Gurucul, have inherent limitations in their data ingestion and analytics. Gurucul improves threat hunting by automating the collection and correlation of analyzed events, linking those events to formulate the scope of the attack campaign, and applying a risk score to help prioritize the results.

Insider Risk and Threat Monitoring

Containment of Malware Infections

With Gurucul’s out-of-the-box included threat content and endpoint, network, IoT, identity, cloud analytics along with user and entity behavioral analytics, we can detect a threat immediately. As Gurucul identifies the attack campaign, we can provide an understanding of how malware infections are attempting to spread across endpoints, applications, and network devices. Through that determination, we can provide recommendations and fine grain controls for autogenerated playbooks to automatically quarantine users, endpoints, network segments and temporarily limit access privileges to prevent the spread and further infection and give security time to remediate the attack.

External, Internal, Cloud Incident Collection and Monitoring

Vulnerability Patching

As Gurucul identifies risks through our enterprise risk engine, we can also pull in vulnerability and threat intelligence data. This allows us to align patching and remediation efforts with active threats. Through this additional context we can create more elaborate and targeted playbooks that have prioritized actions, such as patching certain critical or high-risk systems first. This can help the security team remove portions of the attack campaign from continuing to execute or do damage. Once these actions are done, the organization is then protected from potential follow-on attacks and certain variants that continue to exploit unpatched vulnerabilities.

Achieving Compliance Objectives (PCI, SOX, HIPAA, GDPR, etc.)

Automating Incident Response

The ability to not just detect threats, but also respond to threats rapidly is critical to prevent damage. Even worse is that threat actors often know when they have been detected, but this only causes them to accelerate their efforts in hopes of stealing data, executing ransomware or disrupting availability before security teams can execute a response plan. Gurucul SOAR, through the creation of contextual and risk-driven playbooks, enables security teams to automate response actions. The sooner this can be done, the sooner in the attack kill chain can a threat actor be stopped. SOAR can reduce MTTR for common security threats, such as phishing, malware, denial of service, web defacement and ransomware to minutes or hours versus days, weeks or months.

Gathering contextual information across security and non-security telemetry and matching that data against indicators of compromise (IoCs) is critical for being able to formulate an active response. However, this is typically a manual process, especially when traditional SIEM and other XDR, unlike Gurucul, have inherent limitations in their data ingestion and analytics. Gurucul is able to improve threat hunting by automating the collection and correlation of analyzed events, linking of those events to formulate the scope of the attack campaign, while also applying a risk score to help prioritize the results.

With Gurucul’s out-of-the-box included threat content and endpoint, network, IoT, identity, cloud analytics along with user and entity behavioral analytics, we can detect a threat immediately. As Gurucul identifies the attack campaign, we can provide an understanding of how malware infections are attempting to spread across endpoints, applications, and network devices. Through that determination, we can provide recommendations and fine grain controls for autogenerated playbooks to automatically quarantine users, endpoints, network segments and temporarily limit access privileges to prevent the spread and further infection and give security time to remediate the attack.

As Gurucul identifies risks through our enterprise risk engine, we can also pull in vulnerability and threat intelligence data. This allows us to align patching and remediation efforts with active threats. Through this additional context we can create more elaborate and targeted playbooks that have prioritized actions, such as patching certain critical or high-risk systems first. This can help the security team remove portions of the attack campaign from continuing to execute or do damage. Once these actions are done, the organization is then protected from potential follow-on attacks and certain variants that continue to exploit unpatched vulnerabilities.

The ability to not just detect threats, but also respond to threats rapidly is critical to prevent damage. Even worse is that threat actors often know when they have been detected, but this only causes them to accelerate their efforts in hopes of stealing data, executing ransomware or disrupting availability before security teams can pull together and execute a response plan. Gurucul SOAR, through the creation of contextual and risk-driven playbooks, enables security teams to automate response actions. The sooner this can be done, the sooner in the attack kill chain can a threat actor be stopped. SOAR can reduce meant-time-to-respond (MTTR) for common security threats, such as phishing, malware, denial of service, web defacement and ransomware in minutes or hours versus days, weeks or months.