Syncurity IR Flow Automation Lab

Solution Overview
Security Automation, Orchestration and Response ("SOAR") is a family of technologies that tie together a organization's people, processes and technologies.  Effective automation can improve incident response time and capacity, increase the effectiveness of threat hunters, combine and extend the capabilities an organization's security tools, analysts and engineers and reduce human error through automation of processes.  

Syncurity IR-Flow is an innovative security operations platform that combines alert triage and incident handling, security automation and orchestration and reporting and compliance.  Based upon open-source technologies, Syncurity integrates with a broad range of security and IT tools and provides a customizable workflow, incorporating tools for human input all designed to adapt to customer operations.  

This scheduled lab demonstrates how Syncurity can be used to automate enterprise incident response.

Goals & Objectives

This sandbox will demonstrate:
  •  How Syncurity's detect-Triage-Investigate-Contain&Remediate-Report allows the incorporation of automated and human workflows
  • How Syncurity's Triage Scoring Engine helps to prioritize incidents quickly and accurately
  • How to enable automation through quick codification of SOC best practices, policies and procedures using playbooks
  • How Syncurity can help with compliance through its reporting capabilities

Hardware & Software

Software (Products may vary depending upon scenario)
  • Syncurity Orchestration Server
  • Elastic ELK Stack
  • Vulnerability Scanner (Optional)
  • Endpoint Protection ("EPP") / Endpoint Detection and Response ("EDR") Product

Server Devices
  • 1x Windows Jumphost (Windows Server 2016)
  • 2x Windows Domain Controllers / DNS Servers
  • 1x Linux Email Server (CentOS 7)
  • 1x Generic Application Server (CentOS 7)
  • 1x Syncurity server (Appliance)
  • 2x Elastic Servers (CentOS 7)
  • 1x Vulnerability Scanner Server (TBD)
  • 1x Syslog Server (CentOS 7)
  • 2x Splunk Servers (CentOS 7)

Client Devices
  • 4x Windows 10 Clients (Windows 10 Enterprise)
  • 3x Windows 7 Clients (Windows 7 Enterprise)
  • 3x Red Hat Clients (Red Hat Enterprise Linux 7)
  • 2x Attack Hosts (Kali Linux)