Machine Learning / Security

Machine Learning and Playbooks are Key to DFLabs’ Incident Response Technology

27 Mar 2017 12:00pm, by

Perhaps after seeing too many movies in which artificial intelligence runs amok, security chiefs aren’t ready to completely turn incident response over to automation, according to Dario Forte, CEO of DFLabs.

“Over the past 18 months, been asking CISOs (chief information security officers) what they think about full automation. They told us it’s pretty sexy marketing, but not reflecting the vision they have for orchestration and automation,” he said. “They think they should follow a path of supervised activity until they reach a point of full automation.

Enter supervised artificial intelligence, which uses machine learning and some form of AI applied to incidents, but humans remain in the loop until the customer organization reaches a required level of maturity that will allow them to reach full automation.

Key to the company’s flagship IncMan technology are what the company calls dual mode playbooks, which outline automated steps for machine-to-human and/or machine-to-machine response.

From a technology standpoint, it all can be fully automated — everything from triage to resolution and remediation, according to Forte.

The automation can be performed with the aid of machine learning, which can inform evolution of the playbooks as threats change dynamically.

“But if you don’t feel that you’re already there from a maturity standpoint, you can program the machine to do an automatic triage or automatic remediation, for example, but still having people in the loop,” Forte said. “You can have a point in the workflow where human authorization is required.”

Playbooks can be created for each type of incident or alert. IncMan includes hundreds of playbooks based on U.S. and European industry regulations, including the EU General Data Protection Regulation (GDPR), standards and best practices.

However, clients also can create their own playbooks visually using a drag-and-drop set of actions without the need for any code. In the playbooks, they can integrate by API with more than 75 different third parties including security information and event management (SIEM), endpoint, forensics, identity management, Active Directory and other software. Those scripts can be tested in a sandbox before going into production.

The playbooks can reduce reaction time up to 80 percent, he said.

“Without having to do manual processes, it saves time and money. At the same time, there’s a huge reduction in human error. The playbooks are pre-built and validated so human error is reduced, and this helps limit exposure from a legal standpoint,” he said.

The company in January announced a partnership with endpoint security vendor Carbon Black.

Security Innovators

The incident-response market expected to grow to $30.29 billion by 2021, with a compound annual growth rate of 18.3 percent, according to research from MarketsandMarkets.

It’s among the new faces in security innovating around machine learning, including Demisto, Evident, GuardiCore and others. Many of these smaller niche security vendors are prime targets for acquisition, the MarketsandMarkets report states.

Forte, a former police officer, founded the company, based in Crema, Italy, in 2004 as a security professional services firm, with its team highly involved in international security standards bodies.

Forte was co-author of three new International ISO (International Organization for Standardization) standards for incident response released in 2015-2016.

In 2010, DFLabs introduced the IncMan technology to automate orchestration, response and reporting. The company’s professional services team works with customers to help them determine when they’re mature enough to rely more heavily on automation, Forte said.

It also provides customers with a knowledge base that includes threat catalogs, frameworks, standards, regulations and more to help security teams create and execute a response plan. It also can be used to conduct risk analysis and demonstrate compliance with state, federal and international breach regulations.

It supports STIX (Structured Threat Information eXpression) as well as TAXII (Trusted Automated eXchange of Indicator Information), OpenIOC, and IODEF (Incident Object Description Exchange Format) and provides secure threat-sharing to organizations such as the U.S.’s Information Sharing and Analysis Centers (ISACs).

Most of its customers are in the United States, Forte said, including IBM, University of Advancing Technology, Bridgestone Americas and several U.S. government agencies, which he declined to name.

Network World named it one of the hot products at RSA 2017.

“Incident response is a market that DFLabs is well positioned to serve with its long history and expertise. IncMan offering is designed by practitioners for practitioners and has all the technical foundations of a solid product,” said former 451 Research analyst Javvad Malik.

Feature Image: “Response requires transportation” by CDC Global, licensed under CC BY-SA 2.0.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.