Many SOAR platforms do a good job automating actions through playbooks that cover the basic security tasks needed to remediate simple threats. However, D3 has been in the incident response game since long before the acronym SOAR was even coined, and we have learned in our years of working with many of the largest companies in the world that most major incidents have implications beyond the SOC.
That’s why D3 SOAR keeps going long after most SOAR platforms have called it a day, with additional capabilities that support the entire lifecycle of the incident. These include forms, reports, templates, and workflows that are needed by teams and stakeholders that aren’t in the SOC, but still have a role to play during security incidents and their fallout. In this article, I’ll cover a handful of the ways that D3 supports full-lifecycle incident response that go beyond basic security automation, along with the teams and user groups they support.
Human Resources Investigations (HR Team)
Security incidents can lead to HR investigations, such as in cases involving potential insider threat. D3 extends its incident response workflow to the HR function, enabling seamless coordination (and tracking) between disparate departments. It also provides HR investigators with purpose-built case management tools and reporting templates which optimize and guide HR tasks within the scope of the incident response.
For example, D3 helps HR investigators with:
- Building out the details of the case, with the persons, policies, and timeframes involved.
- Scheduling and logging interviews, with question templates, interviewer guidance, and space to attach notes to the investigation record.
- Email templates to ensure that all investigation-related communications are compliant with applicable laws and regulations.
- An analysis stage, where the investigator can assess all the collected notes, evidence, timeline, and findings, in order to determine the root cause(s) of the issue and make their conclusions.
- A resolution stage, where the investigator can generate actions such as issuing a written warning, changing a policy, or recommending training or counselling for an employee.
Employee Notifications (Company-Wide)
Despite the proliferation of security controls, the majority of security incidents still involve simple human error. D3 helps SOC operators keep colleagues informed with the ability to trigger company-wide notifications based on incidents. These could include information on an active phishing campaign, security hygiene reminders, or notifications to specific groups that are being targeted, such as AR or accounting teams. During incident response or digital forensics investigations, D3 can also send notifications to data custodians whose devices, data, or emails are to be investigated.
Public Relations Templates (PR Team)
Successful attacks against an organization, such as data breaches, immediately become a public relations issue as well as a security issue. D3 users can set up templates for press releases, notifications, letters, and even online messaging. These can be pre-populated, sent for approval, and distributed from D3. D3’s access controls allow security, PR, and legal teams to have the limited access they need to review and approve information without it leaving the system.
Breach Notification Letters (Privacy Team)
Data breaches have their own specific procedural requirements, including breach notification letters to regulators and affected parties. You can use D3 to build templates for breach notification letters that are customized based on different jurisdictional requirements.
Compliance Reporting (Compliance/Risk Management Team)
Many security incidents will also bring a significant compliance burden, which will need to be handled outside of the SOC. Without the right tools, this will require a lengthy collaboration between security and compliance teams to gather the necessary data and write compliance reports. These reports also differ greatly based on jurisdiction, industry, and incident type. D3 can populate form templates with the necessary incident data, for reports such as Cyber SAR, 23 NYCRR 500, HIPAA data breach reports, and more.
Legal Hold (Legal Team)
Certain data or evidence may need to be placed on legal hold for future eDiscovery, audit, or compliance obligations. D3 can trigger legal hold notifications and correspondence tracking. D3 generates the chain of custody, list of custodians, status reporting, and legal sign-off. Processes in D3 align with Data Access Protocol best practices.
Go Beyond the SOC with D3
As you can see, the scope of incident response goes well beyond the security team, requiring resources from many other stakeholders. D3’s full-lifecycle solution ensures efficient, high-quality investigations that use less time and budget to complete, even when they extend past the SOC. Perhaps more importantly, by codifying investigations through D3’s playbooks and templates, you can produce a compliant, legally sound process, which is an absolute necessity for sensitive investigations, such as those involving insider threats, compliance issues, or digital evidence.
To learn more about how D3 helps organizations solve today’s challenges, check out our recent whitepaper Five Playbooks for the Remote Work Era.
