DFLabs IncMan Security Automation and Orchestration


Today, we are reviewing DFLabs’ IncMan security automation and orchestration platform, designed to automate, orchestrate and measure security ops and incident response.

To protect IT infrastructure, security teams need a complete, current and accurate picture of threats facing the organization. Trying to cobble together a solution from a fractured view of your cybersecurity systems is like driving into fog. DFLabs aims to solve this challenge by not only aggregating, but correlating these data sources to provide complete visibility. The company’s security automation and orchestration tool, IncMan, helps prioritize responses to security incidents and respond rapidly, even with limited resources. By reducing the time from discovery to containment, teams can mitigate damage.

DFLabs IncMan doesn’t try to make all your existing security tools redundant. Instead, the service aggregates the output of third party security platforms such as SIEM’s and EDR’s, and services such as threat intelligence and malware analysis. To this end, the platform currently supports more than one hundred third-party security and threat intelligence sources and enables automated threat intelligence throughout threat qualification and investigation, triage and escalation, and threat containment.

Three Pillars: Automate, Orchestrate, Measure

DFLabs describes the IncMan product within the three pillars of Automate, Orchestrate, and Measure.

Automate includes applying machine learning to guide IT security personnel through patented, highly adaptable playbooks, as well as accelerate the most appropriate and effective response to mitigate cyber threats. DFLabs refers to this technology as a “force multiplier,” which augments analysts by automating common, repetitive, and menial tasks, such as information gathering, data enrichment and data correlation . This way, teams can prioritize response to security incidents in volume and at scale across a growing attack surface.

The Force Multiplier of Automation

DFLabs provides out-of-the-box IncMan playbooks that are based on industry best practices and recognized standards such as NIST 800-53 and ISO 27035:2016. By enabling teams to craft their own fully customized, simplified, or advanced playbook, incident response teams have the freedom to react as they see fit.

It’s easy to see the accuracy of the “force multiplier” description with Incident Qualification, for example. Incident Qualification is automated as much as is feasible, but keeps a human in the loop when cognitive skills are required.

At the heart of IncMan is the R3 Rapid Response Runbook engine. R3 runbooks are created using a visual editor that supports granular, stateful and conditional workflows to orchestrate and automate incident response activities such as incident triage, stakeholder notification, data and context enrichment and threat containment.

The DFLabs patent-pending Automated Responder Knowledge (ARK) module applies machine learning to historical responses to threats and recommends relevant playbooks and paths of action to manage and mitigate them.

Orchestrate Investigation and Response

The orchestrate pillar enables intelligence-driven command and control of security ops for SOCs and CSIRTs throughout the incident response and investigation lifecycle. This capability empowers security analysts, forensic investigators, and incident responders to respond to, track, predict and visualize cyber security incidents.

Measure and Optimize

Finally, the measure pillar features all the slick dashboards you’d expect, featuring a variety of customizable, animated charts and graphs. Measure, benchmark and optimize security operations and incident response activities and performance with 140+ performance indicators and reports.

DFLabs lauds the following KPI successes for users:

  • Minimize resolution time by 90%
  • Maximize analyst efficiency by 80%
  • Increase handled incidents by 300%

Unique Security Automation and Orchestration Features

Every cybersecurity pro knows well the pain of false positives. DFLabs takes a unique approach to minimizing this productivity drain by validating findings to ensure that containment is not automated based on a false positive.

DFLabs patent-pending ARK (Automated Responder Knowledge) module applies machine learning to historical responses to threats, and recommends relevant playbooks and paths of action to manage and mitigate them. ARK begins with no knowledge, but learns from the experience and actions of the security team, becoming more effective over time. ARK also helps teams automate knowledge sharing.

What Customers Say

“IncMan is a well-rounded, customizable Incident Management system. Their ports, dashboards and workflows are perfectly suited for the university and its students.”
Abe Alirez, Network Operations, University of Advancing Technology, United States

“IncMan NG is second to none! It is a centralized incident management platform that is fully customizable for your automation needs. Has the ability to maintain your run books, forensic artifacts and IOCs all in one platform. This product is a must for all SOCs and CIRTs.” John McLeod, Information Security Manager

Delivery & Deployment of IncMan Security Orchestration & Automation, and Response

IncMan can be deployed as a virtual image on Hypervisors or IaaS platforms, and as a software on-premises install. The virtual image is installed on CentOS. The product supports CentOS, RedHat Enterprise, VMWare, and Amazon AWS.

Integrating third party technologies is simplified via DFlabs IncMan’s Quick Integration Connectors (QIC’s). These tools simplify integration to the point where users generally don’t require professional services to begin integrating their security stack.

However, custom development via scripting or professional services may be required in some cases. As with most security automation and orchestration solutions, IncMan is challenged to build a connector to support every third-party tech users may have, as technology stacks grow increasingly varied and complex.

Ease of use is further increased by out of the box automation actions, and over 100 customizable playbooks and 140 KPIs and reporting templates.

Licensing & Pricing

Licensing is based on an annual subscription model, with discount options available for multi-year subscriptions as well as upfront payments. The company also offers an option for perpetual license that charges 20% annual maintenance fee for organizations that require a CAPEX model.

About DFLabs

DFLabs is headquartered in Italy with a management team composed of experienced leaders from the EU, Accenture, Deutsche Bank, Gartner, and Guidance Software. DFLabs senior executives have recently spoken at events such as Black Hat Europe, the European Cyber Threat Summit, and Borderless Cyber USA. IncMan recently won platinum awards in two separate cybersecurity categories of the 2017 GSN Homeland Security Awards. For more information, please visit: