We recently published a whitepaper about our Event Pipeline, which is sort of like the nerve center of our SOAR platform. In case you haven’t heard of it, the Event Pipeline is D3 NextGen SOAR’s global event playbook. It leverages 500+ out-of-the-box integrations to enable triage, investigation, and response for every security alert generated by detection tools. It automatically dismisses all the false positives, duplicates, and noise, helping your analyst team focus on events that deserve a closer look. Here’s how it works:
The Event Pipeline processes security alerts in three core phases:
- Data Normalization. In the Data Normalization phase, the ingested data is analyzed and parsed, key event fields and artifacts (like hostname, IP address, etc.) are extracted and mapped from the raw alert data, including MITRE ATT&CK TTP labeling.
- Threat Triage. In the Threat Triage phase, D3 enriches the normalized events with third-party threat intelligence sources (e.g. VirusTotal, ZeroFox), and groups together related events.
- Auto Dismissal & Escalation. In the Auto Dismissal and Escalation phase, false-positive checks filter and then auto-close events. The result is that up to 90-98% of alerts can be filtered out through consolidation and auto-close rules before they reach an analyst.
The Event Pipeline is unique in that it processes alerts at the event level, escalating them to incidents only when necessary. This is in contrast to some of our competitors, who cannot perform any automated analysis at the event level – or worse, don’t make the distinction between an event and an incident. Combined with our unique microservice and NoSQL architecture, the Event Pipeline supports unmatched scaling across a high volume of events. It also fully supports multi-tenancy, making it ideal for MSSPs (managed security service providers).
The Event Pipeline is a big leap in productivity and a big step forward for SOAR. It’s unique to D3’s NextGen SOAR platform. You won’t find it in any other SOAR solution in the market today.
Helping MSSPs to Become MDRs
The Event Pipeline is also a key component of what we call our ‘MDR Toolkit’. The MDR (managed detection and response) Toolkit is a combination of three capabilities provided by D3: the Event Pipeline, big data processing, and incident response. Together, the three components enable MSSPs to offer MDR-style services.
We’ve previously noted in our analysis of the managed security services market that the MSSP model is facing a growing threat from the MDR model, and the latter is winning. This is because MSSPs generally don’t have the tools or resources to provide Tier 2 and Tier 3 security services. Businesses from adjacent backgrounds are moving into the managed services market as MDRs – most notably EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) vendors. For MSSPs that are looking to provide more value and differentiate their services to remain competitive, D3’s MDR Toolkit can provide great leverage. The MDR Toolkit also works well for internal security teams that don’t want to outsource, instead becoming an ‘in-house MDR’.
How D3’s Event Pipeline Supports `Hyperautomation in Security’
D3 is listed by Gartner as a representative vendor for ‘Hyperautomation in Security’, as noted in its recent edition of Emerging Technologies and Trends Impact Radar for Security. You can download the report from our Resource Library. Hyperautomation is named as one of the top strategic technology trends for 2022 by Gartner. According to Gartner analyst Fabrizio Biscotti, Hyperautomation has “shifted from an option to a condition of survival.”
So what exactly is hyperautomation? As we noted in our earlier blog: “Hyperautomation refers to streamlining processes by automating as much as possible across multiple technologies. It can be thought of as automation on a larger scale, addressing whole systems of manual tasks instead of single actions.”
Gartner recommends focusing hyperautomation on repetitive, time-consuming processes, which is precisely what the Event Pipeline enables. In the absence of D3’s SOAR platform, alert triage can be one of the biggest time-sinks in the SOC, with analysts sorting through endless undifferentiated alerts. By automating the triage process across integrated technologies, the Event Pipeline provides the perfect use case for hyperautomation in the SOC.