Cyware Fusion and Threat Response

The CFTR v3.0.0 user interface has been significantly upgraded to enhance the overall experience and user engagement. The new user interface incorporates a new color scheme for a rich visual experience and consistent user experience across all modules. The new responsive CFTR user interface adapts to most screen sizes (1024 x 786 to 3840 x 2160) and provides an uninterrupted user experience.

With the new rule engine, admins can automate threat response by defining the automation rules to run Orchestrate Playbooks. In this beta release, admins can configure rules for the following triggers:

For example, to document the learnings when an incident is closed, admins can build a Playbook in Orchestrate that creates a knowledge base article in CFTR, and then associate the Playbook with a rule for the incident status change trigger. Next time, when the status of an incident is updated from Open to Closed, CFTR will automatically execute the rule and Orchestrate will run the Playbook to create a knowledge base article in CFTR.

For more information about Rule Engine, see this blog.

CFTR provides you the flexibility to create your own customized modules to meet your workflow and fusion center requirements. For example, for the Internet of Things (IoT) devices in your organization, admins can create a module named IoT and keep track of the security related data of all your IoT devices in CFTR.

Currently, admins can configure upto three custom modules and also define role-based access control for the custom modules.

For more information about this feature, see this blog.

With the introduction of an Action Library, admins can now create and manage action templates that are used to map actions with various phases of incident workflows. When an incident is created, actions are automatically created for an incident using the mapped action templates. For example, to create an action for blocking an IP address during an incident response phase, admins can map an action template to the phase in the incident workflow. Next time, when an incident is created, CFTR will automatically create an action to block the IP address and link it to the mapped incident phase.

Analysts can also create action templates using existing actions and add them to the Action Library.

For more information about this feature, see this blog.

Now, with CTIX integration, analysts can connect CTIX threat data objects to incidents and directly access the threat data from CFTR to gain contextual information and respond to threats faster. Once connected, the threat data objects are automatically added to the Threat Intel module for the analysts to access them whenever needed.

For more information about this feature, see this blog.

Managed Security Service Provider (MSSP) Dashboard is a dedicated dashboard for security service providers to monitor the incidents data of the tenants. The new dashboard is pre-configured, and provides important metrics and visualizations for analysts to monitor the incident data, such as Assignment SLA and Resolution SLA breaches, status distribution, and date-wise distribution of the number of newly added and unassigned incidents. Analysts can also select specific tenants to get a quick overview of the tenant-specific incident data.

For more information about this feature, see this blog.

CFTR now seamlessly integrates with Slack to share updates on incidents over a Slack channel. This helps non-CFTR users to be notified of the progress of important CFTR incidents. Note that, Orchestrate must be integrated and enabled on your CFTR application to integrate with Slack.

For more information about Slack integration, see this blog.

Now, analysts can schedule the export of incidents and automatically send the report to the recipients, thereby ensuring that the key stakeholders of your security operations team are periodically informed about the incidents that are being created.

Analysts can create multiple export schedules and manage them in Schedule Manager.

Admins can map Orchestrate Playbooks with incidents and knowledge base articles, thereby enabling security analysts to quickly access the relevant Playbooks and execute them during threat response.

CFTR has integrated product onboarding walkthroughs and videos that allow new users, in particular, to explore and learn some of the key features of CFTR, such as the user interface, Incident Workflows, and Incident Workflow Configuration.

Admins can rename the Incident module as per the organizational policies under Form Management. For example, admins can rename the Incident module to Case. Once renamed, the new name is reflected throughout the CFTR application, such as the Main Menu, Connect the Dots, Dashboards, Form Management, User Group Management, and more.

During retrospection of closed incidents, for the security analysts to easily identify newly added fields in the incident workflows, a label named New is displayed in the fields.

Admins can configure the field type of Business Unit (as Single Select or Multi Select) and rename the Business Unit field. Once renamed, the new field name is reflected throughout the CFTR application, such as Incident Form, Settings, User Management, My Profile, and more.

Analysts can now manage modules that are already connected or available to connect in a single view, eliminating the need to navigate outside this view. To help analysts understand the similarities and make better decisions on connecting the modules, Connect the Dots displays similar fields and comparison details of other modules under similarity score.

For more information about this feature, see this blog.

Previously, the Incident Visualizer displayed only the IDs of the connected modules and indicators, which was not easy to identify the connections. Now, for better identification, analysts can switch between the ID and Title views of the connected modules and indicators.

The Playbook page is enhanced to enable analysts to search and run Orchestrate Playbooks, and view the run logs in a single view. CFTR v3.0.0 also displays the time taken to execute a Playbook in the run logs.

Admins can configure the local time zone to reflect it in the export files of the module listing pages and activity logs. Analysts can also configure their own preferred time zones under My Profile to override the Local Time Zone that is configured by the admin.

For new users who do not have email IDs to receive an invite, admins configure temporary passwords to sign in to CFTR. Now, users must reset the temporary password to access CFTR. Also, after adding the users, admins can now add or update the email IDs later.

Admins can use the enhanced incident workflows to: