cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SoBe8503
Viewer

Incident Handling Automation and Orchestration Suggestions Needed

Hello all,

 

Not sure if I posted in the best area, so please bare with me.  

 

I have been tasked with finding some options for Incident Handling Automation/Orchestration tools for our SOC.  I have no experience with these sort of tools and don't want to end up settling for something that's sub-par.  I've had a few vendor presentations already and so far IBM's Resilient is taking the lead, but before I make my decision, I'd like to ask you guys for any other suggestions.  Prefer to get some non-biased info instead of relying on their sites which always claim to be "the best."  Environment is around 50K+ endpoints.

 

Thanx!

5 Replies
markhust
Newcomer I

good.

Badfilemagic
Contributor II

We put CyberSponse in at a place I was at a few years ago after much looking around. I thought it was pretty good for incidenet management/handling and it had playbooks and some orchestration. I know the folks who started Phantom Cyber and for orchestrarion its definitely worth a look.
-- wdf//CISSP, CSSLP
dnn
Newcomer I

malte-wirz
Newcomer I

I did a market review on Security Orchestration, Automation and Response Tools and can recommend the following:

 

IBM Resilient

Service Now Security Operations

Demisto 

 

Also be advised that there is a new GARTNER report due soon: https://blogs.gartner.com/anton-chuvakin/2017/09/13/soar-research-coming-brace-for-impact/

Acumen71
Reader I

I recently started using a new platform from LogicHub to automate SOC playbooks.  I wrote a playbook to automate IOC's received from Google for GSuite Suspicious login alerts.  I recommend the platform for SOC automation.  We utilized SumoLogic as log aggregation and integrated Twilio for alerts and two way SMS communication.  LogicHub has a growing list of integrations that are easy to use.  SumoLogic has a list of existing API integrations that make integrated and triggering SIEM events relatively easy.  With Sumo we also utilized CrowdStrike to score IP's.