The Mystery Behind CyberSponse’s Last Day at RSA

No need to call the gang from Mystery Inc.!! Our post today is here to give you answers to the mystery that everyone is trying to figure out.The mystery of why CyberSponse was not there on the last day of RSA.

The RSA show this year has attracted the biggest crowd of vendors and attendees since its beginning. Especially, it was a fascinating and exciting time for companies in the security automation and orchestration space.

CyberSponse’s staff felt the hype and enthusiasm among visitors while visiting CyberSpone’s booth. Our company has a different style and approach and has managed to build an enterprise that has a lot of people talking. Sometimes we wonder if the word “disruption” is supposed to mean “similar” or alike because of what we see in the industry today like identical marketing by everyone, does not remind of any disruption. CyberSponse enjoys disruption and will continue to expand on our innovation. Hey, has anyone really built anything without ruffling a few feathers? Not likely.

Today, more than ever, to create a niche for yourself, you need to “disrupt” the current process or offering in order to create something more efficient, more effective and more logical. At the end of the day, CyberSponse offers an entirely different perspective and others are very interested to see and explore it.

While this topic can create a debate that would last till the “cows come home”… In recent past, we have seen Uber disrupt the taxi industry, Netflix send Blockbuster into dissolution, the cyber security industry creates billions of dollars of value. It is clear there is no “cookie-cutter” way to run or build a business and last time I checked. Axe is a warrior!! #Billions

So back to disruption and breaking some of the molds of creation. What does it really mean to disrupt and build something new or completely different? Well, Google defines the word “disrupt” as: dis·rupt, verb

To interrupt (an event, activity, or process) by causing a disturbance or problem.

To throw into confusion, throw into disorder, throw into disarray, cause confusion/turmoil in, play havoc with drastically alter or destroy the structure of (something).

Although some could argue that building a business on deception is fair game, I think it is wrong. Moreover, I believe that the industry is tired of all of it. This sector has also seen teams choose to pick their share of battles amongst each other too. We all know that it’s not something that is healthy or helps to provide a better service to protect our customers and country.

Let’s get back to the mystery… So why did we leave the last day? The answer is pretty simple. Our team spent four 20-hour days. I made the call to let them join their families for some R&R. While I would never have thought that so many people would have asked us about our “early” departure, it has me thinking that maybe we’ll do it next year but with a big sign that says, “We Left to Continue Solving Problems” — kidding of course — or am I? 🙂

We all know that the last day of RSA tends to be slow, probably associated with the fact that everyone was up until 2-3am for the last three days. We also know that most of us are hoarse from all the talking we’re doing with loud techno music playing in a club filled with industry peers. Leaving RSA was in the best interest. It allowed CyberSponse to take home some incredible opportunities with customers that have the demand exceeding all our expectations and projections. Was it a good call? Looking back, I would not have changed anything.  Although I think we should have posted an explanation on our social media channels. It’s better to explain than let anyone “fill in the blank” and we have heard some interesting assumptions why we left.

As many of you know, I tend to call it as I see it and I am very transparent about my intentions in life, competing in the market and also who out there is real and who is not. This team and I are here to solve problems. We are here to create and not take from anyone, we aim to innovate and not copy, and our main mission is to protect companies and countries from adversaries.

More importantly, we are here to protect our creativity, domain, and ideas. Many brilliant people have come and gone, but few know how to execute an idea. If you can do both, then you are dangerous or disruptive. Disruptive in a good way, making other people aim higher, be more creative and working harder.

The world we live in today is no cupcake or joyride, creating millions of dollars in value and defending your domain in a highly competitive space is no easy feat. Operating in this competitive environment can at times leave scars on your back.

So why did CyberSponse leave RSA? We left because we love what we do and needed to get back to work. I do apologize if we missed anyone at the show who wanted to meet us. If this is the case, we want to apologize by sending you one of our new  HIGH TECH SOC LEGO Kits for free. Just reach out to our team through social media, and we’ll hook you up. #CSRulz

Visit our website and all of our social media sites to get a chance at the LEGO kit!!  

Twitter, Facebook, Linkedin

Incident Response Automation and Orchestration is on Fire!

Incidents are the first indication that there is a problem in the network. They are often precursors to a much more serious disaster, if not responded accordingly. If the incident response (IR) is not planned and executed effectively, the results can be catastrophic. When an incident occurs, it means something out of the “norm” has happened.

Regarding of its severity, an incident can be defined as any event that, if unaddressed, may lead to a business interruption or loss. At the same time, the more tools an organization is using, the more alerts they are receiving, and it becomes really challenging to the analysts to respond and solve each alert manually in a timely manner.

The main challenge that can be solved by automation and orchestration is that while there more and more new tools of cybersecurity, the workforce is not increasing so rapidly. That leaves the same number of SOCs staff to deal with much more alerts and tools.

Below we have listed some of the challenges that SOCs staff face every day:

IR is a manual process: Looking at the facts, currently, IR tasks range from fetching data to malware detection. Getting everyone on the same page with tracking events to communicating the problem with the team involves organization and technical skills between individuals within the security operations center team. Ultimately, the manual process is killing company’s’ overall IR productivity.

IR is Dysfunctional: Usually, the SOC team finds the fires, but it counts on IT operations to fight the flames. Unfortunately, this relationship is not always a perfect marriage. One-third of cybersecurity professionals say coordinating IR activities with cybersecurity and IT operations teams is one of their top challenges when responding to an incident.

IR shines a spotlight on the cybersecurity skills shortage: According to Enterprise Strategy Group (ESG) research, 45% of organizations say they have a “problematic shortage” of cybersecurity skills in 2017. The problem of workforce shortage will just increase in the near future. As a result, understaffed and under-skilled SOC teams depend on the certain individuals and manual processes to get their job done.

Three main challenges listed above might be solved with automation and orchestration. It provides greater support for SOC workflows within SIEM tools, like AlienVault, McAfee, Splunk, etc. As a result, in recent years we see the rise of innovative IR platforms like CyberSponse. CyberSponse was a leader in IR automation, case management, and workflow orchestration.

45% of CISOs across the US believe that their organizations’ IR budgets will increase significantly in 2017. While 42 percent claim budgets will increase somewhat in 2017. For good reasons, a big portion of the budgets will be spent on IR automation and orchestration.

For more Information on IR, check out !!




We have just upgraded our new SOC LEGO KIT kit!!

Below are the pictures that we wanted to share with all of you. The idea behind this lego kit is to provide a fun way to look at cybersecurity industry. Legos is one of the most recognizable and grossing toys ever! We were so happy to work with a creator who made this reality.

This desk size SOC system consists of two workers analyzing different alerts. Naturally, many of our industry wizards grew up with lego’s trying to build the coolest parts our imagination could render. With this idea, our team decided to engineer and deliver our product playset with a creative message. We couldn’t be more proud to bring to the industry a playful way to have TRON Joins CyberSponse in the next generation of security integration and interoperability.  We love that we can put two great things together!

Cybersecurity practitioners in the information security environment need to follow a certain sequence of steps to solve and remediate cybersecurity incidents. The CyberSponse Playbook engine offers consistency and repeatability for the day to day operations. As we all know, analysts become overburdened with increasing number of alerts. As a result, they may overlook key indicators and notifications that are critical to the organization’s security.

Similarly, experienced analysts might be provoked to make “out of process calls” to skip key parts of the incident response plan based on incomplete information or impatience. With the CyberSponse Playbooks, the same data is assembled together for every alert, and every notification is investigated and memorized in the same approved manner each and every time it occurs. In simple terms, your final result matches the desired outcome with no curveballs. Do not get faked out by pretenders!!

Interested in seeing how CyberSponse can help your organization? Schedule a Demo today!! And check out more about Incident response on for the upcoming conference that is going to change our industry as a whole.

Security Operations Center and Their Role in Keeping Organizations Safe PT.2

In our last post, we talk about the benefits, functions, and tasks of the Security Operations Center (SOC). We are continuing to share our ideas about the benefits of a well-developed SOC.

SOC’s main task indications that something is wrong in the network and stop them quickly. Efficiency and well-streamlined operations are essential to guide remediation. The SOC would consist of layers like 1) level 2) analysts, 3) engineers, 4) management.

One of the main tool used at SOC is sensors. The sensors provide logging i.e. Firewall, Routers, ACLs, HUBs etc. Collectors gather information from different sensors and translate them into a standard format for having a homogeneous format. For the best efficiency, custom parsers would need to be created to troubleshoot log sources.

The SIEM solutions have to be tuned to accommodate the unique needs and use cases. The used cases must be defined and are typically the events that require SOC’s intervention or monitoring. For example, finding, containing, and removing malware not detected by antivirus software from our network involves some steps. There are several rules in this used case that will be used to alert the SOC to perform an investigation. Other typical use cases are SMTP traffic from an unauthorized host, antivirus failed to clean, repeated attack from an IP, excessive outbound SMTP traffic, excessive outbound web or email traffic, access to a malicious website, exploit traffic from a single IP, and etc.

The policies and well-described procedures are essential to an effective and efficient incident response. The SOC has to have developed internal policy on controls, governance, the configurations of the devices it manages. Modifications will be made to ensure the devices are in alignment with policy and doing the expected job.

Communication is one of the most important parts of well-developed policy and procedures. A SOC needs to make sure that information system security incidents are promptly reported, security events and weaknesses are promptly communicated to the appropriate system administrators, and timely corrective actions are taken.

Additionally, the SOC must establish a formal information security event reporting procedure so it can perform incident response effectively. Data is usually worthless and needs to be turned into information and analyzed to take action.

Decision: In-house SOC vs. Outsourced Managed Security Service Provider (MSSP)

A question often asked is what is a better choice between an in-house SOC and Outsourced MSSP. Setting up a SOC could cost you around $750k for tools and infrastructure initially. Additional costs include a team of 5-9 FTEs (depending on size, volume, complexity), maintenance, depreciation, training would need a further investment of $800k annually. In contrast, an MSSP would charge an initial setup of $500k yearly subsequently. The advantages of an in-house SOC is having a dedicated team, a better organization creating sensitive log data, known environment, easy customization, efficient correlations between groups, logs stored locally, but the disadvantage is higher costs up-front. The advantages of MSSP SOC is fewer capital expenses, access to security expertise, research and threat intelligence of MSSP, scalability, and flexibility, experiences of MSSP.

The MSSP would monitor security logs and additionally make changes to the environment based on event analysis and security intelligence. An MSSP delivers greater cost efficiency and more effective security monitoring. Many organizations use the MSSP service, so the infrastructure and processes needed to support have been built. Intelligence gathering and usage are also how a SOC can begin to become proactive in the IT security fight and this will be brought in. The proactive methods include information from partners and databases. The quality of the intelligence and evaluation of that information into SIEM tools would be continuously matured.

Service Management

The SOC should be process driven. These processes and SOC functions will be documented in advance as part of run book. It is also important to assess or audit a SOC. Information Technology Infrastructure Library (ITIL) methodology could be one baseline for service strategy, service design, define key performance indicators (KPI), service functions, service level agreements (SLA), transitions, change management, operations, continual improvement.

With well-managed operations and team, an enterprise can ensure service quality and feels confident of the response to security events.

Security Operations Center

An increasing number of high-profile cybersecurity incidents from Sony Pictures to Apple Application Store hacking encouraged enterprises to invested and develop their Security Operations Centers (SOCs). Businesses confirmed that it is becoming more challenging to handle sophisticated security events around complex environments  varying from physical IT tools, to private and public clouds.

The truth is, it is becoming more and more challenging to manage security in hybrid environments. Businesses are investing in the development of SOCs to provide a centralized platform for a rapid response to cyber breaches. A SOC is an organized and highly skilled team whose mission is to monitor and improve an organization’s cybersecurity posture while preventing, detecting, analyzing, and responding to cyber security incidents using both technology and precise procedures. Cybersecurity experts working at SOCs analyze threats from malware to phishing attacks detected by the sequences of tools to keep the organization secure.

To support business, a SOC must reduce both the time and impact of security-related incidents that exploit, deny, degrade, and disrupt business operations. Monitoring is the most effective tool to prevent major cyber incidents. The SOC is a machine for incident prevention. A SOC needs to maintain an effective staffing level responding to the size of the business operations. Continuous education assures that SOC’s staff stay up-to-date with trending threats, cybersecurity tools, and best practices.

Web proxies, sandboxes, endpoint breach detection solutions and forensics tools among others contribute to a complete SOC ecosystem. All of the involved systems generate events, logs, flows, and telemetry data that must be ingested, processed and analyzed by a machine and, eventually, by a human being. A security information and event management (SIEM) managed and maintained drives enterprise security program at SOC.

Finally, the size of the organization, the amount of sensitive data kept, and potential threat level drives the size and scale of the SOC.

SOC Benefits

  • Efficient response time
  • Identifying attacks and responding before they can cause damage
  • Helps recovery in a reasonable time

SOC Functions

  • Real-time monitoring & management
  • Reporting
  • Post-incident analysis

The service function of a well-organized SOC would include monitoring and incident detection, diagnostics and incident isolation, problem correction, working with devices, systems, software and endpoints, escalation and finally closure of incidents. The SOC benefits come from the good SIEM tool and its staff, that consolidates all data, analyzes it intelligently and provides visualization.

SOC Tasks

The SOC would detect attacks from the internet, detecting insider threats, monitoring compliance, incident response. The SIEM solutions will integrate with disparate systems and provide comprehensive threat detection. A SIEM tool would utilize security intelligence data to proactively monitor for suspicious activity and actions. Additionally, the tool is going to be able to provide metrics reporting and analytics to spot problem areas and reports to management.

Logging mechanisms including the ability to track user activities are essential. Secure log collectors, correlation and analysis environment are integrated to end systems. SIEM collects the logs from different systems and correlates them together to generate influential and useful information for SOC analysts.

The ticketing system helps create, update, and resolve reported issues and track progress. If a SOC receives more alerts, more work needs to be done. So, a higher number of alerts also requires more resources needed to address these alerts. On another hand, many alerts can be automated and only more complex alerts should be solved by cybersecurity expert.

Finally, an incident is a violation or imminent threat of policy, or standard security practices like denial of service, unauthorized access, vulnerability identification, hacking, data loss and etc. Incidents have to be addressed and closed decisively. The impact, severity, and timeline of the response must be defined for every assigned incident. If an incident remains unresolved at any level, then an escalation to the next level is required and procedures documented.

Steps to Prepare an Effective Cyber Breach Incident Response Plan

According to major Cybersecurity Readiness reports, 62% of organizations acknowledged they were breached. The question of being prepared for cybersecurity breach is not about if, but when the company will face one. Given the “when not if” mindset, executive teams need to be proactive in their approach to mitigating cyber breaches.

 A sophisticated incident response plan is the most important roadmap in the moment of crisis. An incident response plan is a guide that is tailor-made according to the company’s industry and fine-tuned through mock breach exercises. It is vital to ensure that incident response plan does not become another document laying in executive’s drawer. A well-rounded incident response program includes regular tabletop exercises synchronized with the plan.  

Through our experience, we have found that most multinationals have incident response plans without a well-developed program to train and do tabletop exercises according to the plan. Moreover, in many cases the documentation describing how to act in the event of a breach is out of date, inaccessible to key decision makers, generic, resulting in not effective response plan damaging the brand and breaking stakeholders’ trust.

 A well-prepared incident response plan starts with defining all breach scenarios and their specific response steps. Secondly, it specifies response priorities and defines stakeholders, roles, and responsibilities. Finally, it includes templates of internal and external communications to ensure business continuity.

 Below are 11 principles to guide companies in creating and implementing incident response plan:

  1.  Identifying the internal incident response team. The crucial thing is finding which person in different departments play a key role in the plan and describing what they do.
  2. Identifying the leader of the incident response team. It is important to identify the department and a person within it who will lead incident response. The last thing an organization wants in the moment of crisis is to start identifying who is responsible for mitigating the damages.
  3. Categorization. Developing a simple structure for classifying incidents by severity and urgency will provide a better understanding of C-suite involvement and level of engagement of the representative groups on the incident response team.
  4. Response protocol. A framework should include (1) preparation, (2) identification, (3) assessment, (4) communication, (5) containment, (6) eradication, (7) recovery, (8) post-incident.
  5. Third parties. The plan should include a list of key third parties that will assist the company, including external privacy counsel, forensics, crisis communications, etc.
  6. Notify and assemble incident response team members to begin the investigation. After the breach occurs, it is important to notify and gather the team in a timely manner. Senior management should be included in the response team. Once the team is assembled, an internal investigation should commence into the security incident.  Depending on the potential severity of the incident, daily progress calls should be scheduled.  
  7. Identify and fix the issue. An analysis should run that identifies the incident and focuses on developing and implementing an effective containment plan. After fixing the issue, the company can turn to identifying the full nature and extent of the attack.
  8. Gather the facts and let them drive the decision-making. All available forensic data (hardware, devices, database activity, etc.) should be collected and transferred to a safe location for subsequent analysis. After making timeline around incidents and response, any additional investigation and response efforts should be based on the information gathered and the scope of the incident.
  9. Determine any legal obligations and comply. An experienced lawyer that is well versed in incident response can play an essential role in quickly and accurately determining the different privacy, security laws, and regulations that may be implicated by the breach.
  10. Communicate with the public and report to the incident response team. During the course of the investigation and response, there should be constant communication among incident response team members. It is critical to have an outside counsel involved in the communications plan to preserve any privileges that may attach to communications. A “holding statement” prepared for the executives might be useful in any interaction with the media.
  11. Eliminate fragments of the security incident and recover business operations. After ensuring that the threat created by the security incident in eradicated, it is important to restore the company’s assets and return to normal business operations.

Development of a robust plan is challenging and time-consuming but to face a cyber security breach without any plan, might be deadly for a corporation. When a successful cyber attack occurs and the breach comes to light, the first question customers, shareholders, and regulators ask is, “What did the business do to be prepared to respond to a breach?”

To learn about the incident response (IR) and how to prepare an IR Plan(s) click here to check our IR community and partner website.


Many of the participants from RSA that stop by our booth will be getting this “TRON-LIKE” Joins CyberSponse Security Operations Center. Our product is so security practitioner friendly from the creation of our visual playbook engine to our incident timeline correlation features. Why not show our loyal customers why our technology is superior and not something that is licensed from someone else (hint-hint). Thanks to the team at CyberSponse for not only coming out with first security operations platform but also the coolest and most trick LEGO set.

Naturally, many of our industry wizards grew up with lego’s trying to build the coolest spaceships, vehicles, and towns our imagination could render. With this idea, our team decided to engineer and deliver our product playset with a creative message. We couldn’t be more proud to introduce to the industry when our new TRON-LIKE joins CyberSponse and how our technology represents the next generation of security integration and interoperability. INFOSEC IOT Baby!


As we all know, security practitioners in the information security environment need to follow a certain sequence of steps and the CyberSponse Playbook engine offers consistency and repeatability for the day to day. As we all know, analysts become overtaken with increasing alert quantity, they may overlook key indicators and notifications that are critical to the organization. Similarly, experienced analysts might be provoked to make “out of process calls” to skip key parts of the incident response plan based on incomplete information or impatience. With the CyberSponse Playbooks, the same data is assembled together for every alert, and every notification is investigated and memorialized the same approved manner each and every time it occurs.  In simple terms, your final result matches the desired outcome with no curveballs.

Similarly, automation harnesses the power of your existing security investments in products by integrating these products and services to increase your environments velocity and operational readiness. To date, CyberSponse has more than 300 open available integrations with all the major security solution. From our perspective, who needs python or needs a developer in the SOC to create connectivity, go DIRECT API and do it right!

Interested in seeing how CyberSponse can help your organization? Schedule a Demo today!! And check out more about Incident response on for the upcoming conference that is going to change our industry as a whole.

The 3 Biggest Problematic Mindsets around Cyber Security

As a mainstay in today’s digital environment, cyber security concerns play a huge role in how we approach evolving customer needs, internal processes, and regulatory requirements. In our current layout where companies of all sizes and in myriad industries can find themselves susceptible to hacks, cyber security isn’t just for banks. There’s still a good reason for all of us to bring cyber safety to the forefront, to protect us from unknown.

Today’s small businesses are between a rock and hard place. Often lacking the funds and resources to invest in the protective measures larger corporations have in place, small businesses can find themselves at a disadvantage in terms of keeping their assets and information safe. This is why, as I’ve discussed in the past, small businesses have become a main target for cyber-attacks.  Although the means to invest, remains the biggest obstacle to better security, many business owners are also falling into  avoidable traps, putting sensitive company information at risk. Regardless of resources, here are three cyber security mistakes no business owner should make.

Overlooking Employees’ Cyber Knowledge & Familiarity

For a company with limited resources, employees can be tremendously valuable players if they’re given the proper tools, techniques, and education. Very few of us are true experts in cyber security, and employees often expect their work data and information to be automatically protected from cyber attacks. Providing fundamental information about cyber safety and best practices – and arming employees with a few quick tips like the following – can help prevent avoidable security incidents.

  • Learning to identify harmful emails by looking out for incorrect grammar and inaccuracies in the message body, and place your mouse pointer over any link to verify the URL before clicking.
  • Don’t use bookmarks or web browser shortcuts – attackers can make modifications on the back end so it links somewhere else.  Open up your internet search and type in exactly what you’re looking for, instead.
  • When you’re working off-site, never use public WiFi. You might think your local cafe is safe, but shockingly, these hotspots are often unmanaged and highly insecure, leaving your computer or device vulnerable to an attack.

Not having the Plan B.

Up-training your employees or end users – is the most critical step you can take to protect your business from cyber threats. The success of your security measures, is highly dependent on the education of your employees. Employees must be empowered to make smart decisions that prevent cyber adversaries from “walking through your front door.” YPlease note that even the most cautious or paranoid users can make mistakes, particularly with sophisticated phishing scams – or spear phishing. This type of attack is when an email appears to be from someone you know and includes links or attachments that are harmful to the organization.

This is where your “Plan B” falls into place – the spam filters, customized rules,  internet content filters, sophisticated email scanning etc. These type of solutions categorize sites or email traffic into various classifications to effectively block malicious content or attacks. A small business may not have the luxury of more advanced, expensive security measures like sandboxing or whitelisting, but simple yet basic filters can catch most known types of attacks and provide an important fallback for when human error is inevitable.

The  “Too much or too little” approach.

Small businesses today are using more technology to grow and maintain a competitive edge, with recent research showing that technology helps level the playing field and contribute to revenue growth.

This, however, opens up many new avenues for cyber threats – and businesses across the board are faced with a balancing act when it comes to security vs. convenience. From the way we streamline internal processes to how we engage with customers, we all want a seamless experience. Having the right security measures in place is crucial but going too far overboard can be costly and ultimately kill the customer experience.

White the average business may not have the most advanced systems in place, businesses still can benefit from educating employees, implementing basic safety filters, and learning to strike the right balance between security, convenience and usability. Don’t let a lack of resources be an excuse – there are steps we can all take to protect your  company, and your customers.


CyberSponse Incorporated, a global leader in cyber security automation & orchestration, helps accelerate an organization’s processes, security operations teams and incident responders. CyberSponse solves problems with resource skills gaps, too many alerts, increasing risk and disconnecting security environments. The CyberSponse platform enables organizations to seamlessly integrate, automate and playbook their security tool stack, enabling better, faster and more effective security operations. With a global presence, offering an enterprise platform, CyberSponse enables organizations to secure their security operations teams and environments. To learn more visit our site Click Here or to learn more of incident response check out

The Confusion of the Term Cyber Incident Response

Every year we see the definition of incident response change. It’s been an honor for CyberSponse to start, create and build this new category we have today. It’s also been an adventure to see the market embrace the vision but also humbling to learn that having vision doesn’t mean the market is ripe. Incident Response has been a passion for CyberSponse since it’s founders were watching their fathers build, run and execute life-saving incident response plans. These plans did not save the “end point” or corporation, they saved a child, a family, a home or even people from a plane crash (seriously).

The reason why incident response is so important is that it’s the manner of being prepared for the unknown and known. The more you execute a process, the less that panic and confusion will hinder your success when dealing with a situation. The genius of building out the community and what is in store for 2017 is very exciting. IR17 will be the future of how and where the future of incident response is headed.

Let’s get a summary of the history of Security Incident Response and the overall mindset of various teams we have come across over the years. I’ve seen the market change a lot over the past 5 years and thought that we could provide a summary for our followers.

  • 2012 – What is that? Don’t need it.
  • 2013 – Oh, that’s when you are compromised or breached, not an issue for us.
  • 2014 – Not important right now, we solely focus on prevention (uh oh)
  • 2015 – We know what it is, but Threat Intelligence is more important right now
  • 2016 – We’re now putting our focus on Endpoint and Forensics
  • 2017 – What are Playbooks?

Building an Incident Response Plan

Putting an incident response plan together is not a quick or easy task. All businesses are different, and our recommendation is to follow these steps:

  1. You need to first embrace and create an incident response team, available 24/7, to manage, direct and facility any cyber security or business continuity incident.
  2. Train your team. If they don’t know what incident response is, there is a ton of resources online to do this. Hold weekly sessions to whiteboard plans, ideas, talk about technology, what is changing and so on. Get your team used to the idea that threat/alerts/incidents cost the company money, and why a consistent and effective response is required.
  3. Obtain at least one board member on the incident response team including your CISO. If you cannot get the agreement to be apart, then work on that foundation and use the data at your fingertips to explain the exposure, risk and capital losses for a security incident.
  4. Carry out a thorough analysis and identify critical assets, key terrains and areas to most protect within the business. What sort of information security incident or alert should trigger a team response? Which assets or systems, if down, would cause serious issues for the organization? What assets contain data should be monitored more closely? Understanding your landscape is critical to building an effective incident response plan.
  5. Start out with a simple incident response plan for your SOC, IR Team for when a critical asset has alerts or show signs of compromise or attack. Run simulations of this simple plan and talk about it. Tell your team why an effective and consistent response is important and get their feedback. Communication is the key to all problems.
  6. Now that you have a simple plan around a key asset and certain type of threat. Build specific incident response processes for other type of threat events. Define each of these plans around different type of threat events or attack types and take it one step at a time. Setup weekly meetings to build out a plan on a whiteboard, document, build a visual in Visio, save it, print it and build out your IR plan book.
  7. Once your IR plans or ADMIN BOOK is completed, it’s time to test some of the plans. Simulations are the best way to do this. Table top exercises help know what to do when something happens, who to call, how to call and when to get legal involved etc.
  8. The most important thing to remember is train, help and work with your team.  If you’re not getting the cooperation from your team, then change your team. Do not let your team think that a reactive, fire-fighting approach is a good approach to protecting your security posture.

We look forward to introducing IR17 to the community and market, it’s going to be a hot year for the entire SOAR community.

The CyberSponse Crew 

CyberSponse RSA Review


Cybersponse RSA Review

Arlington,Va-Another year and another excellent RSA turn out! RSA 2017 was a very exciting time for the SOAR Category and embrace the excitement towards the automation and orchestration arena. CyberSponse enjoyed all the visitors and exhibitors from different companies that stop by to learn more from the biggest and baddest of all other security orchestration, automation & response platforms.

Here are couple of key moments in case you missed us;


CyberSponse’s booth at the conference was on fire from the get go, giving everyone a demo of our latest version of our platform and why we’re different, why we are better, why we can scale like no one else. We had partners and old friends stop by the booth and even gave away some free exclusive swag.

The CyberSponse Team providing an invitational demo to the largest business in the world!

Real Deal Special Guests

We were honored to have the Governor of Virginia come by and visit our booth.

Terry Mcauliffe, is an American businessman and the 72nd Governor of Virginia. He served as chairman of the Democratic National Committee, from 2001 to 2005, was co-chairman of President Bill Clinton’s 1996 reelection campaign, and was chairman of Hillary Clinton’s 2008 presidential campaign. In the 2013 gubernatorial election, he was unopposed in the Democratic primary. McAuliffe defeated Republican Ken Cuccinelli and Libertarian Robert Sarvis in the general election, collecting 47.8% of the vote; He assumed office on January 11, 2014.

AGC Presentation

Our CEO and CSO, Joseph loomis and Larry Johnson, was also featured in the AGC Conference. Joe and Larry both discuss how the SOAR category was created and how we were the originators of the automation and orchestration space. Giving a demo of  our product and answering the ultimate question “Why cybersponse over the other guy?”

Joseph Loomis and Larry Johnson at AGC

In summary, the level of interest in security automation and orchestration at the conference underscored what we’ve observed ever before. Customers and buyers are ripe and it’s a race to the finish although we know that there is plenty of room for more than a few to win.

The information security community is actively seeking out automation platforms like CyberSponse to help them:

  • Help automate repeatable information security processes
  • Responding faster to lessen the time to investigate and respond playbooks from hours to seconds.
  • Building defenses by triaging every alert and a dramatic reduction in resolution time.

“CyberSponse is more than an IR workflow system; it also can support just about every function of the Security Operations Model (Protect, Detect, Respond, Recover).”

Jeff Schilling, CSO at Armor (Former Director of Incident Response, Dell SecureWorks)

We are so excited to help grow the space into something that we never thought it could be.