Knowledge is power. The phrase is especially true in the context of an enterprise SOC, where limited information can lead to hours wasted investigating a meaningless alert, or worse, allowing a dangerous incident to slip by undetected.
In the fast-paced world of cybersecurity incident response, how you get the information you need is paramount. There simply isn’t enough time to manually move between systems, third-party apps, and other data sources, gathering contextual data and copying it back into your incident response platform (IRP). That’s why at D3, we’ve been building out our automation and orchestration features to support streamlined and effective response workflows. We’ve covered these features and concepts in detail previously on this blog.
A key component of our automation and orchestration offering is our integrations with VirusTotal and DomainTools. These two integrations alone can save analysts huge amounts of time by automatically populating incident records with reputation data that identifies known threats. One of our customers told us that he used to manually copy and paste hashes from these sources hundreds of times every day. With our integrations, analysts like him can get all that time back to work on the tasks that require their expertise.
We recently released a short briefing that describes the specifics of our integrations with VirusTotal and DomainTools for incident response, and how they can help you improve your cybersecurity. You can download that document from our resources section, but in this blog post, we’ll cover some of the key points.
VirusTotal is a searchable repository of file intelligence. D3’s fully customizable integration automatically correlates implicated files from an incident against VirusTotal’s comprehensive repository, and enriches the D3 incident record with critical data such as file hashes and reputation score— so that the information your analysts need is already in place when they open the incident record. Security teams also use the integration to build their own repository of hashes, IP addresses, and domain names, all stored within D3.
DomainTools works similarly to VirusTotal, but instead analyzes the domains that are included in the data of an incident. As with VirusTotal, the D3 integration automatically captures relevant domain intelligence and enriches the incident record, all without requiring analysts to switch platforms. Contextual data from DomainTools includes the source IP, geolocation, and other details such as the domain owner. Based on the domain reputation score, D3 can block the domain and associated domains. The ability to identify related domains is particularly useful during phishing investigations.
There are many benefits to this type of automation and orchestration features, including a reduced chance of human error and the ability to accumulate a repository of data on past threats. However, the most salient benefit is saving your analysts’ valuable time. In the document detailing the VirusTotal and DomainTools incident response integrations, we estimate that in an enterprise SOC, manual data lookups might waste up to 18,250 person-hours per year.
The time saved by automation can be reinvested in strengthening your overall cybersecurity. It gives you the time to conduct deeper investigations with root cause remediation, link analysis to find connections between incidents, and the identification of recurring vulnerabilities. Analysts can also use the time to be more proactive, hunting for IOCs on the network instead of always playing defense.
While these integrations are a key component of D3’s automation and orchestration suite, they are not all that we offer. D3 also provides valuable features like:
D3’s automation and orchestration features offer security teams the rare opportunity to free themselves from the never-ending barrage of alerts and actually get out in front of the real threats. For more details, please download the new document describing our integrations with VirusTotal and DomainTools from our resource library.