In the battle against new and aggressive threats, one thing has become abundantly clear: the more efficient a security team is, the better the opportunity it has at minimizing the impact of threats—or avoiding them all together.
And with this mission of visibility and efficiency, NetWitness introduces the release of NetWitness Orchestrator 6.3.
NetWitness Orchestrator 6.3 delivers two critical features:
- New threat groupings that improve the categorization of threats within the threat library.
- Workflow Metrics that measure how effectively organizations are detecting and resolving issues, while also reporting on the ratio of false positives vs. actual indicators of compromise.
Both of these key threat and response features can drive both your organizational efficiency and improve your SOC effectiveness.
Expanded Group Types
In the past, analysts were somewhat limited in how they could categorize certain threat types within NetWitness Orchestrator. They would often rely on general categorization or have to place threat data in categories that didn’t make sense, where information didn’t match up and important threat data and fields were being dropped.
The addition of new Group Objects fixes this problem.
Instead of trying to determine if a group is a malware family, a MITRE ATT&CK technique, or a threat actor group, security analysts can now rapidly see and clearly understand the security information they are viewing.
Over time, STIX has become the standard to categorization of threat intel. These new group objects allow NetWitness Orchestrator to better align to the STIX taxonomy and allows organizations to better map and manage their threat library.
- New Group Objects include:
- Attack Pattern
- Malware
- Vulnerability
- Tactic
- Tool
- Course of Action
These new groups enable NetWitness Orchestrator to map to STIX objects more effectively and builds the foundation needed to expose more data from the Collective Analytics Layer (CAL) in the future. Ultimately, this helps to ensure that the Threat Library within NetWitness Orchestrator is approachable, collated, and equipped to help security teams when they need it most.
Workflow Metrics
Security teams are constantly trying to grow their efficiency. But without the ability to measure results, it’s difficult to understand where improvements must be made. That is why NetWitness Orchestrator 6.3 has added Workflow Metrics. These reports provide valuable insight into how well security operations address threats by measuring the following:
- Mean Time to Detect: The average time it takes to discover a security threat or incident
- Mean Time to Respond: The average time it takes to control and remediate a threat
- False Positive Ratio: The percentage of alerts that upon investigation are revealed to be not valid threats
We know team leads and managers often need more granular information about the tools, processes, and people in their environment to define clear and realistic short-term/long-term strategies. These metrics as part of the 6.3 release help organizations identify whether tools, processes, and automation that are in place are delivering their expected results.
New Group Types and Workflow Metrics are designed to categorize threat data and improve operational efficiency so your security operations can effectively detect and resolve threats more efficiently.
For more information, visit our NetWitness Orchestrator page.