By Logan Wolfe
We are thrilled to announce our first major feature release! Read on to find out why it's a big deal, and a game-changer for incident response teams worldwide.
First of all, what is ORNA? Well,
ORNA is a holistic incident response and case management platform for smaller, agile digital forensics and incident response (DFIR) teams.
Keyword: holistic. But that's corporate talk. Here's a more to-the-point version:
All of the ad-hoc things you're doing to detect, manage, and prevent incidents today, streamlined in the most stress-free way possible or done for you, integrated with all the tools you're using. And a lot more.
As the founder and CEO, I am thrilled to see dozens of companies worldwide adopting ORNA to abandon ad-hoc incident management using tools like Jira and Slack, or indeed, switching from our competitors at Squadcast, Moogsoft, PagerDuty and others.
But to understand why ORNA exists, and why DFIR teams are loving it, we must first explore a few inherent issues that persist in cyber incident response today.
The Cyber Crisis Management Process
Let's start with some context.
Cyber crisis management, or cyber incident response, is the process of resolving cyberattacks in a way that minimizes financial and reputation losses, and prevents future compromise.
Typically, it involves the following steps outlined in the SANS incident response framework:
Preparation - review security policies, perform a risk assessment, identify sensitive assets, define which critical security incidents the team should focus on, and form a Cyber Incident Response Team (CIRT / CSIRT). As you can surmise, this happens before an incident occurs.
Identification - monitor IT systems to detect deviations from normal operations, and find out if they represent actual security incidents. When an incident is discovered, inform CIRT, collect additional evidence, establish its type and severity, document everything, and perform escalations.
Containment - contain the immediate damage, for example by isolating the network segment that is under attack. This stage sometimes involves temporary fixes to allow systems to continue operation. Long-term containment follows.
Eradication - remove malware (or other threat) from all affected systems, identify the root cause of the attack, and take action to prevent similar attacks in the future.
Recovery - bring affected systems back online, while ensuring the threat has indeed been eradicated. Test, verify and monitor affected systems to ensure they are back to normal operations and no Indicators of Compromise are present.
Lessons Learned - no later than two weeks post-recovery, perform a retrospective analysis of the incident. Prepare complete documentation of the incident, investigate the root cause further, understand what was done well, and what could be improved in the future.
...And Its Pitfalls
The above seems straightforward in theory until your first incident. For example, just the Identification stage alone at a very high level involves the following:
Detecting the potential incident - naturally, any kind of response would be impossible if the attack isn't detected first. The right controls need to be in place to monitor all possible, or at least high-risk, attack vectors, 24/7/365.
Confirming the type of the attack - hybrid and polymorphic attacks are on the rise, so confirming the attack type based on the Indicators of Compromise as well as relevant threat intelligence are key to warrant an appropriate response action.
Assigning the CIRT Leader - the CIRT Leader, sometimes also known as the Incident Commander, is the sole individual responsible for actively driving this particular incident to resolution. They often act as a liaison between different business functions involved, such as IT, 3rd parties, business execs, legal, HR, etc.
Determining the right stakeholders to engage - different types of incidents require different actions carried out by different stakeholders. For example, responding to a ransomware attack will require a very different set of actions when compared to an insider threat response.
Figuring out exactly what is it that each person has to do - quite literally a million dollar question, isn't it? This is typically where incident response training, incident response plans, playbooks, and such come into place. Contrary to the popular belief, an MDR provider won't help you with this, instead focusing on purely technical mitigation and reporting thereof.
Determining reporting and communication obligations - what do you say, when, how, and to whom? This includes the affected parties (e.g. a PII breach), regulatory bodies, staff, vendors, and more. There's a legal aspect to this as well, as you might want to maintain minimal culpable footprint that may surface during discovery if litigation follows, as it often does.
Recording every decision for reporting and analysis - your Board, insurance provider, execs, shareholders, regulators, and more will have questions once the incident is resolved. How did this happen? Why? What was the impact? Will this happen again? What is the effect on the business? Did we make correct decisions? Cyber incident reporting adds an extra layer of stress to an already tricky situation, as you need to maintain meticulous records of everything throughout - while responding to the actual attack.
Securely collecting and categorizing all evidence - incident reporting is hearsay without evidence. Screenshots, documents, emails, notes, file hashes, and much more need to not only be preserved securely to prevent tampering and chain of custody concerns, but categorized, labeled and linked to specific activities within each of the incident response stages.
...and that's just off the top of my head. If you went through this process at least once, you know it doesn't take a genius to identify the following issues:
Cross-Functional People Management is Tough. Being a CIRT Leader can put you in an interesting position where you are required to "manage up" and coordinate actions across a number of business functions, both within the company, and outside of it. Schedules, vacations, opinions, stress, lack of sleep, and other factors often make ad-hoc CIRT management a soul-crushing ordeal.
Inefficient and/or Outdated Workflows. Time really is money during an incident, and not many things can be more frustrating than being stuck in yet another 4-hour Zoom call trying to land on the best course of action for each stakeholder at any given time because the incident response workflow (e.g. plan, playbooks) didn't exist, isn't up to date, wasn't practiced, or has not been communicated to the CIRT members across each function involved. Lack of a Crown Jewel registry, asset risk matrix, jump bags, DR/BCP processes, and so on piles up on top of this issue as well.
Assets and Evidence Get Overlooked. It's enough for one compromised asset to get overlooked, or one piece of key evidence to get misplaced, to put your incident response activities in jeopardy. Managing your ITSM system, backups, patching, config updates, as well as carefully categorizing evidence in your secure file repo at every step of the incident resolution process, while ensuring all other CIRT members are equally disciplined and keeping the actual DFIR activities on track is guaranteed to add a few gray hairs to your head.
Incident resolved...now what? By the end of the whole ordeal, your team is exhausted and probably reconsidering their career choices (I'm joking. Or am I?) It's common for Lessons Learned activities to get deprioritized, especially for smaller organizations without a clearly defined InfoSec function. With the relevant mitigation actions and improvement opportunities never addressed, a repeat compromise often happens just weeks or months later.
These challenges aren't new, but they are persistent.
Workarounds include putting together an ad-hoc suite of about a dozen tools, creating a formal Incident Response Plan cross-correlated with DR/BCP processes and reviewed monthly, outsourcing the entire thing to an MDR provider (spoiler: this often doesn't work very well. Do you know anyone who is happy with their MDR provider?), building your own incident response platform from scratch, or a combination of the above.
Problems With Existing Tools
It's not all doom and gloom, but there's no obvious solution either. ORNA's founding team capitalized on our combined 40+ years of experience in cybersecurity, looked at the existing tools and approaches for cyber incident response and case management, and noticed that at least 2 of these issues apply broadly to each:
The tool is highly complex with a steep learning curve, and is stressful and unintuitive to use at the worst possible moment.
The tool is retrofitted for DFIR, lacking relevant cybersecurity-specific features, such as built-in playbooks, attack detection capabilities or integrations.
The tool is non-holistic: focuses only on technical aspects of incident response, keeps the extended team out of the loop, and lacks cross-functional features.
The tool is too expensive and does not fit smaller teams' cybersecurity budgets.
We then put all of our brainpower together to build a tool that addresses them all.
A Better Way To Manage Cyber Incidents With ORNA
While the initial version of ORNA acted as a proof-of-concept to ensure we're onto something (our first 50 customers helped us with that - THANK YOU!), ORNA 2.0 has been beefed up so much that the functional capacity of the platform more than doubled.
Let's take a quick tour of a few key features!
It all begins with ORNA's Alerts module, powered by our Scout agent that detects 1,000s of complex attacks and anomalies across the entire infrastructure, informing all relevant stakeholders within seconds. Alerts are highly configurable across 15 levels of severity and are seamlessly integrated with the Incidents functionality.
The Scout agent is deployed in seconds using a simple step-by-step UI. Alternatively, our support team can take over and handle the entire rollout A-Z, free of charge.
ORNA integrates with over 200 tools, such as FortiGate, SonicWall, Entrust, Cisco VPN, Palo Alto firewalls, Symantec WAF, VMware Carbon Black EDR, Docker, Kaspersky, McAfee, Microsoft Exchange, and many others, meaning you won't have to modify or alter your tech stack.
Each Alert and Incident contain rich, in-depth details collected, collated using GraphQL and cross-referenced across public (CVE, CWE, MITRE), private (AlienVault, FireEye databases), and exclusive (Dark Web) sources. This vital information drives much more efficient incident triage, response and short-term mitigation activities.
Once a new Incident occurs, be it Ransomware, Phishing, DDoS, or even Insider Threat, ORNA analyzes the threat, pre-generates and automatically assigns tasks developed by globally acclaimed Digital Forensics and Incident Response experts.
Each task is unique, highly detailed, and is assigned to the team member most qualified to perform it, whether technical or business. ORNA's playbooks are 100% customizable using a powerful Playbook Designer, and you can reassign tasks - and roles - at will.
The following smart roles are supported as of September, 2022:
Third Party IT (MSP)
Managed Services Provider (MSSP)
Once the incident is eventually resolved, you can use ORNA's Report Builder to create a highly detailed incident report in seconds, as well as customize the level of details that the report will contain (for example, your report to the Board can likely omit some technical details or timestamped task history, while your report for the Lessons Learned post-mortem can dive into the nerdy bits much more).
Reports are encrypted and are additionally protected by a 30+ symbol alphanumeric key uniquely generated for each individual report.
Finally, ORNA's NIST CSF aligned Risk and Compliance dashboard enables you to:
View your qualitative and quantitative color-coded scores across all 5 NIST functions and its 23 categories at a glance.
Gain an understanding of your weakest and strongest areas by answering simple, straightforward questions.
View Key Performance Indicators to focus your efforts.
This dashboard is meant to make it easier for you to view your organization's cybersecurity maturity from a 50,000 ft point, streamline compliance, reduce cyber insurance premiums, and direct your budget expenditures.
Risk & Compliance dashboard also includes Recommended Action Items. These recommendations provide actionable items to implement in order to proactively reduce cyber risk and increase NIST maturity, and are effectively a way to productize a subset of the responsibilities of a Chief Information Security Officer or an external GRC expert.
These items let you know what specific steps they can take to improve NIST maturity and category scores, taking the guesswork out of the process, and helping to drive cyber risk mitigation strategy and budget distribution.
Under the Hood
ORNA is a highly portable modular system that uses a containerized deployment in the cloud. Through our partnership with AWS as part of the Portfolio Activate program, we've been able to quickly secure our environments by fulfilling the requirements of the CIS AWS Foundations Benchmark. We are also able to deploy ORNA on-premises, and implement custom features and integrations as part of our Enterprise program delivered by our Special Advisory Services (SAS) team.
Most of the platform is data-driven, allowing us to roll out updates without any service interruption with an eye on maintaining the highest availability standards.
All data is AES-256 encrypted at rest and in motion with TLS 1.3 implemented as well. ORNA supports SSO (Windows AD, Google Workspace, KnowBe4, Cisco Umbrella, and many others) and every user account is additionally secured via a mandatory TOTP MFA setup. Finally, each customer instance is completely segregated from others using fully segmented assets.
The team is exploring state-of-the-art encryption and data security approaches as well, such as region-locked data sharding leveraging blockchain, in response to the quickly evolving threat landscape and the upcoming commercial quantum capabilities.
We are using a heavily modified version of the tried-and-tested OSSEC agent for monitoring purposes, with the rest of the platform being completely proprietary.
Getting Started with ORNA
There's no better time to try. ORNA has a completely free tier, while paid options use a predictable, module-based (as opposed to usage-based) pricing model with unlimited users, integrations, alerts, 24/7 SME and customer support, and much more. Check out the features and sign up here.