We are pleased to announce that D3’s integration with McAfee Enterprise Security Manager (ESM) has been certified by McAfee. The integration brings together D3’s industry-leading security orchestration, automation, and response (SOAR) platform with McAfee’s powerful SIEM with a host of features to speed response, automate actions, generate better metrics, and capture comprehensive data sets for compliance and evidence preservation.
The integration provides the following key features:
- Manual and automatic escalation of McAfee ESM events to D3
- Bidirectional data flow between the two systems
- Users can search either system from the interface of the other
- D3 can factor McAfee ESM data into risk scoring
- D3 can automatically correlate incidents with other McAfee ESM data and display them as additional context for analysts
- Custom dashboards for D3 and McAfee ESM users
Using McAfee ESM and D3 in conjunction, gives companies the opportunity to automate incident response and via D3’s playbooks and orchestrate security actions across a library of security integrations. D3 can act as a single interface for bringing together a company’s SIEM, threat intelligence, and SOAR.
Having a certified integration between the two systems helps solve one of the most pressing problems in most security teams: insufficient numbers of skilled cybersecurity professionals. The integration helps close this skills gap in several ways. First, by automating repetitive processes to save analysts time. Second, by providing contextual data such as threat intelligence and linked incidents, the solution raises the ability of analysts of all experience levels. Third, it also helps solve regulatory pressure by automating the documentation of incident records, evidence, approvals, and compliance obligations.
Use Case: D3 + McAfee ESM
To illustrate how a SOC might use this integration, let’s use the example of a brute force attack and look at how the incident would be handled.
- A possible brute force attack is detected by McAfee ESM.
- D3 ingests the alerts and associated contextual data.
- D3 triggers an incident-specific playbook that initiates the correct response process.
- D3 enriches the incident report with data from McAfee Global Threat Intelligence, other threat intelligence platforms, internal security systems. and open source tools.
- D3 displays the fully enriched incident report, which may include the source IP login, username, and timestamp for the suspected attack, which are all valuable for assessing the legitimacy of the incident.
- D3 creates timelines and link analysis visualizations to aid the investigation.
- D3 documents the entire response process, generates metrics, compares response to established benchmarks, and sends an incident summary to the SOC manager, if necessary.