When you’ve been in the industry as long as D3, you see a lot of evolution in software capabilities. In the early years, it was all about incident response and case management. Playbooks were entirely manual, and integrations were a secondary aspect of the solutions on the market at that time. Next, we saw the shift toward automation, which was notably resisted by some in the industry, but quickly became a core component of incident response offerings. Then, platforms evolved further to go beyond incident response and automation to encompass orchestrated actions across dozens of integrated systems, powerful playbooks, and much more. Gartner coined the term Security Orchestration, Automation, and Response (SOAR) to describe these solutions, and the name has found almost universal adoption over the past few years.
Things never stay still for long, however, and SOAR continues to evolve. So, if you haven’t taken a close look at SOAR capabilities recently, here are three things that leading SOAR platforms can do in 2020 that they couldn’t necessarily do in the past.
1. TTP Enrichment (in the SOAR Platform)
TTPs are the tactics, techniques, and procedures used by cyber attackers. TTPs are catalogued and defined by groups such as MITRE, whose ATT&CK Matrix is the most comprehensive collection of real-world TTPs. The ability to truly classify events with their TTPs varies across SOAR platforms. Some vendors claim to offer TTP enrichment, but they rely on integrated tools to conduct the actual analysis, and simply ingest the results.
We think D3 is well ahead of the market in this area. D3 has fully embedded the MITRE ATT&CK Matrix, complete with the criteria for every tactic and technique, so it can parse the indicators from every event and correlate them against ATT&CK, all within the SOAR platform. D3 can also be configured to use a different TTP framework if necessary.
One of the ways this capability is driving the evolution of SOAR is by introducing behavior-based security. Without the context of what your adversaries are doing, and what they are likely to do next, you’re relying solely on your security tools to detect the signatures of malicious activity. With TTP enrichment, you can use the knowledge of common patterns of adversary behavior to inform your efforts and disrupt sophisticated attacks.
2. Codeless Integrations
Innovations like drag-and-drop playbook editors have been making integrations much easier for users for some time now, but integrations that don’t require any python coding by users are still limited to the most advanced SOAR platforms.
D3 codes its 200+ out-of-the-box integrations completely in the back end, so that users don’t need to have any coding skills to get full value out of the software. No manual field-mapping is required either; D3 has normalized all fields so they can be selected from a drop-down list based on what your integration requires. Even custom integrations can be added as REST API tasks in D3 playbooks without coding.
SOAR used to require users to spend a great deal of time configuring and reconfiguring integrations, including tasking python coders with scripting new and updated integrations. New codeless integrations not only reduce the level of skill required of users, but also minimize the time users spend configuring the system and make it easier to edit playbooks on the fly.
3. Threat Hunting
SOAR tools have always provided some value during threat hunting, but the new generation of technology is much more directly applicable. Because of the previously mentioned TTP analysis capability, D3 can create a kill chain view of every attack and locate related events to find connected tactics and techniques from the MITRE ATT&CK Matrix. This gives threat hunters the perfect place to start their investigations, because they can quickly determine what tactics in the probable kill chain of the attack have not yet been detected.
You can learn more about D3’s advanced SOAR features in our product guide. But of course, the best way to see the evolution of SOAR is to see it in action. Schedule a one-on-one demo with one of our cybersecurity experts today.