The Real Time Response Orchestration process has three main components:

  • Orchestrator

  • Orchestration Manager

  • Supported network monitoring technology, such as SIEM, DLP, and Web Gateway

Orchestrator

The On-Premise Orchestrator is a small web application that is hosted on-premise. This application receives the events from supported network monitoring technologies, such as a SIEM, and forwards the captured event information to the appropriate endpoints in the SafeTitan cloud platform. The events are pre-configured in the SIEM, such as removable storage being detected or malicious software being downloaded. The information passed to the SafeTitan cloud is minimal. It is only an identifier for the event (such as the rule name) and an identifier for the user who triggered the event (such as the user's email). Information, such as passwords, is not captured.

When a SIEM/monitoring tool alarm is triggered, the AD identifier of the user who triggered the alarm is passed to the Orchestrator. (Note that the AD Identifier is based on the Email Mapping Attribute between the Active Directory and  SafeTitan; that is, either the user's email or username.) The Orchestrator uses this to find the user in the Active Directory. It gathers metadata such as the identifier, which is used to uniquely identify the user in SafeTitan. This is the user's email/username in the SafeTitan portal. Additional metadata can also be taken from Active Directory, such as:

  • The user's Skype for Business Username (SIP)

  • The user's SLACK username

These optional properties are required only if the organization wants Real Time Responses to be sent to the users by IM.

Note

If necessary, you can deploy multiple Orchestrators.

Orchestration Manager

Similar to Orchestrator, the Orchestration Manager is a small web application hosted on-premise and on the same server as the Orchestrator. The Orchestration Manager contains a web interface that can be used to start and stop the Orchestrator site. It can also be used to view its current status (running, stopped and so). The main job of the Orchestration Manager, however, is to manage the installation of updates for the Orchestrator.

Updates for Orchestrator may be for new functionality or bug fixes. When updates are available, you'll be notified on the Orchestration Manager web interface and given the ability to download the latest updates in a zip file. Configuration changes can also be made to Orchestrator via the Orchestration Manager user interface.

Note

If you deploy multiple Orchestrators, then you must have an Orchestration Manager for each Orchestrator instance.

Supported SIEM / Network Monitoring Application

In order for a network monitoring application to communicate with the Orchestrator, it must use an appropriate webhook exposed by the Orchestrator. Depending on the chosen technology, the integration with the webhook will be different:

  • LogRhythm

    LogRhythm alarms can be triggered based on specific criteria such as a Domain Account being created on a removable storage device being detected. When this alarm triggers, the information must be passed to the Orchestrator. In order for LogRhythm to use the webhook, it uses a feature called SmartResponse. SmartResponse allows the creation of a plugin containing a PowerShell script that accepts a collection of parameters passed from the alarm instance. The PowerShell script then passes this information to the Orchestrator.

  • SPLUNK

    Splunk Enterprise Security (ES) is a security information and event management (SIEM) solution. Alarms created in Splunk can be configured to forward data to a webhook when the alarm has been triggered. The webhook is configured to forward information to the Orchestrator.

  • Other Technologies

    Currently support for Splunk and LogRhythm is implemented and ready to use. Solutions for other technologies (such as Logpoint, MS Sentinel and DTEX Agents) are also available but may need to be customized by SafeTitan.