FUTURA Cyber is bringing to market a set of Security Orchestration Automation and Remediation (SOAR) solutions designed to help SOC Analysts reduce data aggregation workflow and increase analytical and response resolution productivity. Many Security Operations Centers (SOCs) make use of multiple cyber security point solutions to perform incident investigations. As a result, Cyber Analysts must become proficient at gathering information for analysis from all of these tools, organizing that information to determine a response solution, and storing that information for future historical analysis.

FUTURA Cyber employs >Rapid Response which is a system-of-systems integration platform for complex event processing that allows organizations to integrate many different cyber security point solutions into a single system-of-systems. >Rapid Response, a Security Incident and Event Management (SIEM) automation platform, enables integration of tools such as ArcSight, Splunk, Solera, and Fidelis (among others) using existing Application Programming Interfaces (APIs) that are delivered with those applications.

When these cyber security tools generate cyber events and other related information >Rapid Response aggregates data across point solutions in an automated and autonomous fashion, saving the analyst the time and effort necessary to visit each point solution individually. Data for a given cyber event can be collected, collated and then delivered to a target database solution providing the Cyber Analyst with a one-stop effort to perform analysis and solve the problem at hand.

Figure 1 SIEM Automation
Figure 1 SIEM Automation

In addition to aggregating information across different packages, >Rapid Response can be used to instantly automate cyber playbook activity so that immediate action can be taken when a cyber security attack is encountered (Figure 1). In following specific cyber playbook protocols, >Rapid Response applications might respond to a Splunk Event for handling ransomware by autonomously stepping through a comprehensive detection, analysis, information gathering, containment and eradication and recovery set of processes. All this taking place without the need for immediate Cyber Analyst involvement.

What Is >Rapid Response

>Rapid Response is a set of cyber applications built on Optensity’s AppSymphony platform, a modern implementation of the Ptolemy II programming automation architecture which uses a visual programming interface to define applications. Ptolemy II was developed at the University of California Berkeley and enables users to use block and line drawing tools to generate graphs of connections to 3rd party tools, data sources, databases and applications. At run-time these graphs are converted to an XML dialect call MOML which is then compiled into Java components to run as Java applications.

AppSymphony components can be designed and built by developers which communicate with various data sources, applications and databases. In turn, trained Analysts can use these components to build applications (workflows) that allow business logic to be defined between any COTS, GOTS, or open source point solutions used in building a systems-of-systems. Giving users an ability to define and build their own complex event applications from standard building blocks is a game changer in terms of productivity and rapid implementation of new workflows (Figure 2).

Figure 2 AppSymphony (>Rapid Response) Graphical Interface
Figure 2 AppSymphony (>Rapid Response) Graphical Interface

Zero Integration Approach

Using point solution APIs such as those from ArcSight, Splunk, or Fidelis we can create >Rapid Response components that are able to communicate with each other. Rather than tightly coupling such communication, a Zero Integration Approach messaging architecture is used that allows >Rapid Response components to talk to each other. For example, assume >Rapid Response components are created for ArcSight, Splunk and Solera/Symantec Cyber Analytics.

The ArcSight component captures event information, target and attacker IP address information and event start/end time. The Splunk component could be configured to retrieve attacker IP from the ArcSight component to search IP addresses in its database and the Solera component could be configured to return a Packet Capture (PCAP) thereby searching for the attacker IP address for the start time of the event. A >Rapid Response application would combine these components together to build a data aggregation application that finds all relevant event data for an analyst so that the analyst just gets an email with that information embedded.

In a Zero Integration Approach, the >Rapid Response component will speak the vocabulary for each application. ArcSight for example might understand the words event ID and Search IP. Solera might understand the words Search IP and PCAP and Splunk might understand the words Search IP. Each of these individual >Rapid Response components might subscribe to a message containing relevant data or publish a message containing relevant data. Neither component would interact directly but would publish or subscribe to messages running on a message bus such as Apache MQ or Rabbit MQ etc. Active MQ is typically used as the message bus, but the system is agnostic to messaging infrastructure. The Java Messaging Service (JMS) is used to place and receive messages from the queue(s) in question (Figure 3).

Figure 3 Active MQ - Zero Integration Interface
Figure 3 Active MQ – Zero Integration Interface

By deploying an integrated application architecture that allows components to talk to each other via messages rather than being tightly coupled through an API call we create a very robust and non-fragile architecture that just works. When an application (i.e. a >Rapid Response component) needs to be upgraded or replaced, the messaging infrastructure is updated or removed for that application, or another application is added with its own messaging vocabulary into the mix. None of the other applications in the system need to be involved in the change. This makes update and accreditation support much simpler, lower cost and lower risk.

FUTURA Cyber is working with its partner Optensity to deliver >Rapid Response modules for ArcSight, Splunk, Solera and Fidelis. Additional Cyber Security support and SEIM point solution capabilities will be added over time.