16 Hot New Orchestration, Incident Response, And Threat Intelligence Tools At RSA 2019
Here's a look at 16 products released around RSA 2019 that help customers and partners better understand the threat landscape and respond quickly and effectively when attacked.
Making Sense Of The Noise
Vendors attending RSA 2019 have invested heavily in making it easier for customers and partners to manage their security operations, gain relevant insight from large volumes of threat data, and detect and respond to security issues quickly and automatically.
Suppliers have doubled down on improving their centralized management platform through a combination of automation, orchestration, machine learning, and rich intelligence streams. Taking threat detection and response to the cloud and automating incident response to lower infrastructure costs have also been areas of focus.
Here's a look at what 16 key vendors are doing at RSA 2019 to better correlate threat data and enable a wide range of security tools to play better with one another.
Forcepoint Converged Security Platform
The Forcepoint Converged Security Platform is intended to enable the secure migration of data, applications, and business operations to the cloud, according to the company. The platform makes it possible for CISOs to define, enforce and monitor policies consistently across the security stack in one place, eliminating the gaps and redundancies of managing point products.
The platform hosts a company's complete range of enterprise-class security capabilities, delivering risk-adaptive protection and seamless cloud connectivity anywhere organizations and their users are located, Forcepoint said. It allows for the application of policies that are dynamically tailored to each individual user's actions, reducing security friction and enabling businesses to innovate more rapidly.
In addition, the company said open APIs enable integrations with third-party products, extending Forcepoint's risk-adaptive protection across infrastructure while delivering security efficacy.
Checkmarx Software Exposure Platform
The Checkmarx Software Exposure Platform delivers unified policy management, cross-product correlation and machine-learning based automated prioritization for comprehensive software security at scale. The platform uses a unified policy engine to determine security risk thresholds for specific applications and projects based on pre-defined or custom security policies.
By leveraging the Checkmarx correlation engine, the company said organizations can easily see if vulnerabilities are present across multiple stages of the SDLC to validate findings. A new Software Exposure Dashboard, meanwhile, presents code vulnerabilities by project giving business stakeholders full visibility into the organizations’ software security posture over time.
The platform fine tunes the results using machine learning algorithms to filter out false positives and make correlations to increase confidence levels, according to the company. And role-based access control across the Checkmarx Software Exposure Platform enables organizations to define roles with specific permissions and access to meet security and compliance mandates.
Palo Alto Networks Cortex XDR
Cortex XDR is a detection, investigation and response product that natively integrates network, endpoint, and cloud data. It uncovers threats using behavioral analytics, accelerates investigations with automation, and stops attacks before damage is done through tight integration with existing enforcement points, according to the company.
Five managed security service partners will launch offerings around Cortex XDR that deliver around-the-clock threat monitoring, detection and response services to Palo Alto Networks customers. The partnerships in place around Cortex XDR are with PwC, Critical Start, ON2IT, BDO and Trustwave, according to the company.
The offering is supported by Cortex, an integrated, AI-based continuous security platform that's designed to simplify security operations and improve outcomes. Cortex is enabled by the Cortex Data Lake, where customers can securely and privately store and analyze large amount of data that is normalized for advanced AI and machine learning to find threats and orchestrate responses quickly.
Exabeam SaaS Cloud
Exabeam SaaS Cloud enables analysts to collect log data and use behavioral analytics to detect attacks and automate incident response without the infrastructure costs and maintenance issues inherent in on-premises SIEM (security information and event management) deployments.
SaaS Cloud is a hosted cloud offering, and provides the full functionality of Exabeam's Security Management Platform, including a data lake, behavioral analytics, case management, security orchestration and indent response automation. Companies can directly ingest data from dozens of cloud-based services, eliminating the need to route cloud data to on-premises data centers.
Customers can license SaaS Cloud through Exabeam Spectrum, a flexible set of deployment options that provides predictable, user-based pricing regardless of deployment type. This allows organizations to use the Exabeam Security Management Platform in a range of environments and variety of configurations, including on-premises, public cloud, SaaS, hybrid or as a managed service.
JASK Autonomous Security Operations Center
JASK unveiled new multi-cloud visibility and workload monitoring features on its Autonomous Security Operations Center (ASOC) platform that deliver advanced analytics expressly designed to process the constantly changing, high-volume data unique to AWS and Microsoft Azure cloud environments.
JASK ASOC leverages the elastic capabilities of cloud computing such as horizontal-scaling data-ingestion pipelines to ensure it scales to handle any data volume that customers desire, the company said. The cloud also afford JASK the processing power necessary for the analytics that provide automated alert triage, ensuring seamless monitoring of both cloud and on-premises infrastructure on a single platform.
The platform now includes integrations with AWS CloudTrail, AWS GuardDuty and VPC Flow Logs to ingest, aggregate and analyze dynamic workload information about user activity, malicious behavior and IP traffic. JASK ASOC also fully supports the Microsoft Graph Security API to ingest a robust set of Azure cloud data and information related to Microsoft users, application and events.
Unisys Stealth 4.0
Unisys Stealth 4.0 addresses threats associated with the ever-evolving digital landscape where adoption of cloud, mobile and IoT continues to rise, the company said. It empowers clients to respond quickly and proactively to threats through the ability to isolate devices and users at the first sign of compromise.
Stealth 4.0 introduces as expanded suite of standardized tools to enable unattended, automated installation and operations, Unisys said. These automation enhancements eliminate the need for repetitious and manual operations, reducing installation time and improving management capabilities for large enterprise deployments, according to Unisys.
The software security suite uses a combination of rule-based approaches and machine learning to classify and cluster network nodes, the company said. This makes it easier to understand what network assets are present, as well as the communication between them.
DFLabs IncMan SOAR
The new version of DFLabs IncMan SOAR (security orchestration, automation and response) enables MSSPs and MDR providers to centrally perform one-to-many operations across multiple customer environments regardless of the security products deployed at each location. The tool provides flexible deployment options for regulatory compliance as well as granular analytics for reporting.
IncMan SOAR now provides a vendor agnostic Runbook capability that enables MSSPs to execute a single action across any number of client technologies such as blocking a malicious IP address while providing each customer with the ability to maintain control over what actions are allowed.
The offering automates the collection and reporting of metrics and key performance indicators across one or more environments, providing deep visibility into all facets of each customer's security infrastructure and security posture. IncMan SOAR also empowers customers to determine which intelligence, Playbooks, Runbooks and other information can be shared with its service provider.
Recorded Future Express
Recorded Future Express layers threat intelligence over existing security workflows through a browser extension, providing real-time intelligence within any web-based application and delivering up-to-the-minute risk scores as well as transparent evidence behind scoring.
Security professionals can use Recorded Future Express to access threat intelligence within SIEM offerings, vulnerability scanners, incident response systems, and other intelligence sources for meaningful context faster. With one click, the browser extension surfaces real-time risk scores and the evidence behind those scores, arming security teams with the intelligence needed to determine action.
By layering threat intelligence over existing SIEM deployments, security professions can assess the alerts that pose the greatest risk and make decisions immediately. Recorded Future Express also instantly identifies and organizes relevant information around hashes, IPs, domains and vulnerabilities when viewing security content to exponentially increase security information consumption.
Mimecast Threat Center
The Mimecast Threat Center is a group of hands-on cybersecurity experts focused on providing threat intelligence that helps organizations convert threat information into value for the business. The Threat Center will leverage email, web, and anonymized user data to offer threat intelligence insights to security professionals, according to Mimecast.
The Threat Center is focused on providing customers with actionable insight that can be used to better manage and prioritize today's evolving threats, Mimecast said. It will produce a wide variety of reports, including threat research on vulnerabilities, analysis on targeted malware, deeper insights on targeted threats hitting specific industries, as well as quarterly email security risk assessments.
Mimecast processes more than 12 billion emails from customers a month, which the company said provides the Threat Center team with a unique view of the threat landscape from email-based attacks. The threat intelligence that the team provides is gleaned from the analysis of billions of emails and web traffic across global data grids, which provides insights on targeted attacks and other malware.
FireEye Expertise On Demand
Expertise On Demand helps organizations reduce the business risk associated with overburdened or under-skilled cybersecurity teams, extending the capabilities of security operations with an array of services and threat intelligence.
The annual subscription allows organizations to backstop their security teams with detailed context, attacker insight and expert analysis to accelerate investigation and response. Expertise on Demand subscribers can also broaden their situational awareness through daily news analysis, context inquiries, finished threat intelligence, and invitations to FireEye's quarterly threat briefings.
The offering allows users to train with and alongside FireEye's security practitioners or transform an overall security program using FireEye's consulting services, according to the company. Expertise On Demand can also be purchased as a complement to FireEye's product offerings, including Helix, Email Security, Network Security and Endpoint Security.
The expanded Tripwire ExpertOps includes vulnerability management as a managed service, allowing organizations with limited in-house cybersecurity resources to maintain a strong foundation of security from vulnerability management to security configuration management and file integrity monitoring.
The new vulnerability management capabilities offer a comprehensive view of vulnerability risks along with actionable reporting and recommendations, according to the company. It's backed by comprehensive coverage for more than 200,000 conditions as well as timely vulnerability intelligence.
Tripwire ExpertOps provides personalized consulting from trained experts as well as hands-on tool management for compliance and critical asset security. It augments in-house security teams with ongoing support, guidance and customized reporting, as well as providing insights when security incidents occur.
The Malwarebytes OneView console delivers security administration via a single multi-tenant cloud-based console for simplified management of sites and customer accounts, the company said. It offers management of trial and paid subscriptions, comprehensive threat visibility and management, and monthly usage reports.
The OneView management console was purpose-built to help remediate and remediate Malwarebytes' MSP customer base, according to the company. OneView is customizable and expected to help MSPs dramatically cut down on their service calls while still providing customers with the highest level of security around endpoint detection and response.
STEALTHBits StealthDEFEND v2.0
STEALTHBits StealthDEFEND v2.0 features support for 15 new Active Directory attack tactics, techniques and procedures, additional response playbook actions, and contextual resource tagging for enhanced risk profiling. This allows organizations to prevent attackers from compromising Active Directory, the most critical service within virtually all organization.
StealthDEFEND v2.0 automatically or programmatically responds to threats the instant they're identified using an extensive catalog of preconfigured and customizable response actions. The platform automatically tags privileges users, groups, data and resources, appropriately adjusting risk ratings associated with abnormal or nefarious behaviors.
The tool also performs comprehensive forensic investigations on users and related activities in an ad-hoc fashion or for compilation of digital case files, according to STEALTHBits. StealthDEFEND v2.0 can also define threats and parameters in alignment with an organization's specific rules and requirements.
SecBI MSSP Offering
The SecBI MSSP offering automates both threat hunting and breach response based on comprehensive network traffic analysis. It provides full scope detection, SecBI said, creating a comprehensive view of each cyber incident by combining disparate alerts, events, and logs into a single narrative that shows all the affected entities and kill chain.
The tool also delivers gap analysis that identifies network security blind spots and implements fixes, according to the company. MSSPs using SecBI will benefit from: improved analyst productivity; automated detection and response; seamless integration with existing infrastructure; easy scalability with cloud-based, multi-tenant options; and fast and simple deployment with minimal ramp-up time.
PagerDuty for Security Operations
PagerDuty for Security Operations introduces a comprehensive set of new and existing security-focused integrations from the company's broader partner ecosystem. The offering allows development and operations engineers to bring security professionals onto a common platform to reduce risk, allowing them to resolve security alerts faster, according to the company.
The offer complements and extends the existing toolchain for security operations and security analyst teams, allowing them to take immediate action to triage and remediate when critical security vulnerabilities, threats or breaches are detected across their infrastructure or applications. These automation capabilities maximize a team's productivity and focus on the outcomes that matter.
PagerDuty for Security Operations helps DevSecOps, DevOps, and shared services teams improve their efficiency and integrate security tools into their production pipeline, according to the company. The offering tightens the feedback loop on critical security vulnerabilities found in source code, artifacts, tests and scans, PagerDuty said.
Juniper Connected Security
Juniper Connected Security provides an architecture that acts as a connected force with products that enhance security while providing automation, orchestration and interconnectivity capabilities. It's backed by a number of security products and strategic partnerships.
The architecture allows organizations to realize and build upon the full benefits of their existing security investments without having to rip and replace, according to Juniper. Specifically, Juniper Connected Security automates and integrates security technologies from multiple vendors, enabling a defense-in-depth approach to security that's repeatable and greater than the sum of its parts.
Automation enables reliability and is vital to technology interoperation, and a successful cybersecurity strategy requires an interconnected and layered approach that includes everything from firewalls to physical infrastructure, Juniper said. Juniper Connected Security makes it possible for multiple layers of security to work together.