Respond to security alerts completely within one web interface

Orchestrator lets you script common incident response tasks, like "shut down machine" or "disable account", combine them into workflows like "contain ransomware", and run them on your security alerts.

Orchestrator has no learning curve. You write tasks in Golang to run on remote endpoints and in Python to run from the Orchestrator server. You write workflows in YAML. It can integrate with any product with a REST API.

Orchestrator is under development. It will be a commercial product. Join Mailing List.

See Screenshots Join Mailing List


Screenshots

Drag to left to slide

Agentless

Orchestrator runs scripts on endpoints using Golang and Python.

Supports Windows, Linux, Mac

Orchestrator is compatible with any machine that can run Golang and Python scripts.

Customize tasks based on environment

All tasks' code, whether out-of-the-box or custom, is open and editable through the web UI.

Setup within an hour

Orchestrator is deployed for you in AWS EC2.

Out-of-the-box tasks & workflows

We have a soon-to-be-public GitHub repo with dozens of common tasks for Linux and Windows.


Security Orchestration is a Must


TOO MANY SECURITY ALERTS

Enterprises today receive hundreds of security alerts per week, most false positives. This:

  • Delays response to actual threats.
  • Increases turnover. The typical SOC analyst stays for only 2 years.
RESPONSE IS MOSTLY MANUAL

Common IR tasks, like shutting down an infected endpoint, require analysts to log into multiple consoles and struggle to move basic information from one to another.

We've read about SOC analysts who spent 40% of the time investigating an alert getting the infected PC's IP address.

ORCHESTRATION, NOT FULL AUTOMATION, IS THE WAY TO GO

Some promise to fully automate alert response using AI/ML, but security teams don't trust full automation. They worry about what damage it will cause rather than what problems it'll fix.

Instead, we should enable security teams to build and run tasks and workflows to quickly remediate alerts (called security orchestration).


Current SOAR Products Aren't Flexible


WRITING TASKS IS UNINTUITIVE

Other SOAR products force you to write tasks in a specific language using REST APIs. But you should not have to write 20 Python LOC to take a remote screenshot - you should just be able to write scrot .

Also, importing your custom scripts into SOAR products often requires you to rewrite the scripts using the product's APIs. Orchestrator lets you just run any custom script (in Python) from the server.

WRITING WORKFLOWS IS UNINTUITIVE

Other SOAR products make you use visual workflow editors, then auto-generate code from your visual workflow. This code is hardly reusable and difficult to read or extend. If you switch SOAR vendors, all your workflows are now obsolete.

THE GRAPHICS GET IN THE WAY

One sysadmin told us that "graphics absolutely kill the performance of SOAR platforms". Visual editors, designed for Tier I SOC analysts, slow down experienced security staff, and so our web UI is minimal and fast.

Everything that can be done in the web UI can be done through the REST API, so you can write custom tools on top of Orchestrator. If there's enough interest, we'll release an official CLI version. Email us!

What Orchestrator Is Not


A TOOL FOR INCIDENT TRACKING

Orchestrator automates response, not just tracks it.

A TOOL TO COORDINATE PEOPLE

Currently, Orchestrator integrates technology and processes, but not people. Orchestrator knows nothing about the structure of your organization. But it's a feature we can add in the future if there's interest!

A TOOL FOR IN-DEPTH INVESTIGATIONS

Orchestrator is designed for the routine, 97% of alerts. If you need to investigate an advanced persistent threat, this is not the tool for you.


Write tasks to run on remote endpoints in Powershell or Bash



Write tasks to run from Orchestrator server in Python



Write workflows in YAML



Write Integrations in Python

An integration requires at least 2 files:

  • 1 or more Python files defining tasks
  • 1 YAML file defining metadata and exporting tasks


Anything you can do in web interface, you can do in REST API


# don't worry; this will be authenticated

curl https://localhost:8080/shutdown_pc?ip=192.168.1.112

{ "result": "success", "output": "Shut down PC-003 (192.168.1.112) at 03/25/18 23:22:12" }



FAQ

What is the status of this product (July 2018)?

We will release this project in the next couple months. Web UI is done, working on task/workflow engine and out-of-the-box tasks/workflows.

Orchestrator will be a paid, commercial product.

Join the mailing list below! If you have feature requests or questions, email us any time at getorchestrator@gmail.com . We usually respond within the day!

Who is working on this product?

There are two of us working on this product:

Veeral Patel is a rising junior studying Computer Science at UC Berkeley. He is heavily involved in our cybersecurity club (berke1337.berkeley.edu), teaches a cybersecurity speaker series (berke1337.berkeley.edu/decal), and is interning at Yelp in Summer 2018!

Jemin Desai is a rising junior studying Electrical Engineering and Computer Science at UC Berkeley. He has dedicated himself to Computer Science education on campus and teaches CS61A, the introductory Computer Science course for all CS/EECS majors.

How does Orchestrator work?

Our tech stack is: Postgres, Django, Django Rest Framework, React.

We use Golang to run scripts remotely. Our documentation will teach how to set up. To run a task from the Orchestrator server, we run a Python script. To run a workflow, we parse each task in the YAML file individually.

Is it just tracking or does it automate response?

It automates response.

What are its data sources?
  • SIEMs: Will build integrations with popular SIEMs
  • Email
  • Manually through web UI
  • Authenticated POST call
How does it determine severity?

Orchestrator doesn't determine severity. It uses the severity from your SIEM, or the severity you specify (email/manual alerts).

What does deployment look like?

Orchestrator will be deployed for you in AWS EC2.

We'll provide all 4 Dockerfiles in a public GitHub repo. Each Docker container just runs a binary. We can also deploy all this for you in AWS EC2.

How are you authenticating users to the web UI? Seems like a huge point of failure if breached.

Still working on it, but a few ideas:

  • Yubico
  • RSA SecurID
  • 2FA
  • SSH Agent Forwarding
  • Active Directory Integration
What makes Orchestrator different from existing vendors?
  • Ease of writing tasks and workflows
  • Simple, intuitive UI
  • It's not tied to an expensive SIEM or integrated security offering
What's your contact info?

getorchestrator@gmail.com

Feel free to reach out anytime, we usually respond within the day



Join Our Mailing List (Samy Kamkar is on it!)


We'll send all project updates here.