Skip to main content

General Documents

Devo SIEM Integration with Cyware Platform

Abstract

Download PDF

The Devo SIEM solution performs real-time monitoring, detects security incidents based on customizable detection conditions, and has Cyware integration.

Category: Analytics and SIEM, Data Enrichment and Threat Intelligence

Cyware Products Used:

  • Cyware Fusion and Threat Response (CFTR)

  • Orchestrate (CO)

Third-Party Integrations Used:

  • Devo SIEM: To retrieve newly triggered alerts and identified malicious indicators.

  • VirusTotal: Enrichment of the IOCs observed from Devo alerts.

Problem Statement

Security Information and Event Management (SIEM) systems help security teams to collect, analyze, and store security incidents and events. SIEM solutions receive a large number of alerts every day and require data analysis to process the data for further investigation. It also requires a large degree of expert human intervention oversight to determine if the security events are false positives or actual incidents that require investigation.

Solution

An ideal combination of SIEM and Security, Orchestration, Automation, and Response (SOAR) platforms helps manage threat response much faster by removing the arduous manual incident prioritization and response process.

The Devo SIEM solution performs real-time monitoring and detects security incidents based on a customizable set of detection conditions. The solution retrieves alerts created for suspicious activities that require the attention of a security analyst. The offenses are further onboarded to the Cyware Fusion and Threat Response Platform (CFTR) by taking advantage of Orchestrate (CO) playbooks to allow security analysts to conduct comprehensive investigations.

Onboard_Incidents_from_Devo.svg

How do we solve this problem?

  1. Retrieve the list of Incidents: The Devo Alert Onboarding playbook retrieves all the latest alerts triggered in the Devo application.

  2. Retrieve Additional Entity Information: The playbook retrieves the entities such as Host, Account, IP, URL, and email ID related to the incident. This information is collated with the incident details.

  3. Create CFTR Incident: Create an incident on CFTR using the incident details and entities retrieved from the Devo application. The playbook also performs the following activities.

    1. Assigns a business unit to the incident based on the client impacted.

    2. Assigns an appropriate user group and user to investigate the incident.

    3. Creates notes for every entity retrieved from the Devo application.

  4. Update Devo Alert Status: To allow analysts to keep track of the incident, the playbook updates the status of the alert on the Devo application from New to Active.

  5. Enrichment: The playbook enriches the indicators such as IP, URL, email, Domain, and Hash values using the VirusTotal application. After enrichment, the enrichment score, TLP value, IOC status, and severity rating are updated to the CFTR incident.

  6. Connect the Dots: The playbook connects the dots to uncover correlations between isolated threats and incidents. Additionally, the playbook performs the following activities.4. Searches for the affected host in CFTR and connects it to the incident. If no host is found, it creates a new host.5. Searches for the affected user in CFTR and connect it to the incident. If no user is found, it creates a new user.6. Adds the malicious IOCs to the incident and connects the dots with other incidents based on the identified IOCs.

  7. Include Threat Logs: Adds threat logs from the Devo alert to the incident notes to help analysts with the investigation.

  8. Ready for Investigation: The incident is available on CFTR to be taken over by Analysts for manual investigations.

Benefits
Respond Quickly and Accurately

The solution automatically collates all the relevant information in one place for easier and faster access and helps users prioritize the incidents, thereby assisting security teams in assessing and responding faster to similar incidents.

Streamline Incident Onboarding Process

Security teams can automatically gather data from SIEM, perform enrichment and automatically generate incidents for investigation. This streamlines the process by removing the need for a human to notice the relevant security data, identify it as a security incident, and manually set up an incident in the system.