In almost any SOC, there are more incidents than can be properly investigated. Even with effective rules in your SIEM and other detection tools that rule out the majority of false positives and low-risk events, incident responders are still often overwhelmed with a never-ending queue. SOAR can bring order to the chaos of incoming incidents by aggregating alerts from different tools, automating enrichment, and providing at-a-glance analysis of each incident.
D3 SOAR is especially effective at helping analysts and managers ensure that they are spending their time on the most dangerous threats. Here are five ways that D3 can help you identify and prioritize important incidents.
1. Cumulative Risk Scoring
Because D3 integrates with myriad threat intelligence sources, incidents can be easily prioritized based on their cumulative risk score. When an incident is ingested into the system, D3 checks the IOCs against any available integrated third-party intelligence platforms and each one generates a risk score. These risk scores are then aggregated by D3 to create a cumulative risk score. You can set a threshold within D3 to automatically prioritize incidents when they exceed a certain score.
2. Key Assets
Within D3, you can assign key asset status to particular entities, so you always know right away when critical assets are at risk. Key assets might include user IDs, email inboxes, and endpoints related to important personnel, such as senior executives or technical researchers with access to proprietary information. They might also include important internal servers or any other entities that represent major risk for the organization. In D3, you can create rules so that incidents involving key assets are immediately flagged and escalated.
3. MITRE ATT&CK Stage
One of D3’s most powerful features is its ability to correlate incidents against the MITRE ATT&CK Matrix. For those unfamiliar with ATT&CK, it lays out 12 adversarial tactics—each with many associated techniques—in a “kill chain”, meaning that they represent the approximate sequence an adversary might take to reach their goal. So you can see why an incident that represents a later link in the kill chain—for example Command and Control, which is one step before Exfiltration—is a more urgent concern than an earlier link in the chain. With D3, you can easily prioritize incidents based on their ATT&CK tactic.
4. Type of Incident
Not all cybersecurity incidents are created equal. A ransomware attack, for instance, is an all-hands-on-deck emergency in a way that a run-of-the-mill phishing email might not be. You can configure D3 to automatically flag certain incident types as high priority to ensure they get an immediate response.
5. Number of Incidents
So far, we’ve covered the characteristics of individual incidents that can be used to determine priority, but there’s also another factor: the occurrence of an incident type within a timeframe. A single phishing email, as previously mentioned, is no big deal. However, if you have detected 30 simultaneous phishing emails to your users from the same sender, your organization has clearly been targeted. D3 can group related incidents into a single case for investigation and assign it higher priority than its individual components would merit.
D3 SOAR can bring a consistent and repeatable framework to much more than just prioritizing incidents. Once you have determined which incidents require immediate action, D3 jumps into action with automated playbooks that marshal the resources of your entire security infrastructure to remediate threats. The recent shift towards employees working from home brings about many unique security challenges, and D3’s playbooks can help! To learn more, check out our recent whitepaper 5 SOAR Playbooks for the Remote Work Era.
Or, if you’re ready to see D3 SOAR in action, book a one-on-one demo today.