Why D3 is the “Perfect” Incident Response Platform for Splunk Users

By Stan Engelbrecht September 25, 2017 incident-response, security-orchestration-automation-response

D3 is excited to support our partner Splunk as a Mega-level sponsor of .conf2017: The 8th Annual Splunk Conference.  The conference—running from September 25-28 in Washington, DC—consistently draws some of the most innovative folks in the security business, and it’s one of our favorite places to connect with our customers, make connections, and show off our newest technology.

That’s why we’re especially looking forward to demonstrating our latest product release at the conference, which combines powerful automation and orchestration features with the industry’s most robust incident/case management solution.

We believe (and have been told) that our solution is the perfect incident response platform (IRP) for Splunk users, because it offers the broadest, and deepest, range of functionality. Our bi-directional integration with Splunk is fully configurable, allowing users to bring over whatever information they need. Our automation features gather all the available contextual data, provide a false positive probability score, and support fully or partially automated response. Also, uniquely among IRP vendors—especially compared to those focused solely on automation—we build upon our Splunk integration with an enterprise-wide incident management workflow, including data profiling, forensics case management, granular information access controls, and HR and legal support. It’s this rich and varied feature set that have made D3 the choice of 100+ Fortune 500 organizations.

Below, we’ve highlighted a few of the key features that make D3 the perfect incident response solution for Splunk users.

Splunk Integration

D3 is a certified partner with Splunk Enterprise Security, which has made it possible for us to develop a fully configurable two-way integration. Analysts can escalate Splunk events into D3 with a single click, and then use a custom landing page to specify the incident type, priority level, who the incident is assigned to, and more, as well as linking the incident to a new or existing case.

D3 automatically pulls a great deal of data from the Splunk event and auto-populates the D3 incident report with it, including the raw event data, previous incidents involving the same IPs, and more. Uniquely, your admins are empowered to customize the Splunk fields that get brought over to D3, ensuring that you get the exact data you need—not what your vendor decided you might need.

D3 also offers additional features for a seamless workflow. Analysts have the ability to search Splunk data from the D3 interface and escalate events into D3—all without having to change windows. We also provide a D3 dashboard that you can use within Splunk. Incident reports in D3 automatically update to this dashboard, so Splunk users can see the latest information on past and active incidents in D3, complete with incident and case numbers, without having to switch over to D3.

Automation and Orchestration

Our Splunk integration is bolstered by our new suite of automation features. Now, when you escalate an event to D3, you don’t just get SIEM data. D3 automatically parses out IP addresses from the event and queries apps like VirusTotal, Domaintools, and Maxmind for reputation ratios and contextual information, which is populated within the incident report. So by the time you open up the incident in D3, virtually all the information you need is right in front of you.

Case Management

Many vendors focus heavily on the initial phase: going from detection in Splunk to the beginning of the investigation in the IRP. Unlike others in the space, D3 is a true full-lifecycle IRP, which takes you all the way through containment, remediation, recovery, and even post-incident activities. It’s these features that help make D3 such a valuable tool for Splunk users.

For example, no other vendor can match our case management capabilities, which are crucial for understanding and resolving recurring threats, related incidents, and major investigations. D3 has a dedicated forensics module for investigations, as well as a powerful link analysis tool, and case folders that can be created directly from Splunk to group together incidents for a collaborative response.

Access Controls

Technical incident response might take place in the SOC, but to truly manage the full scope of the response, you often need to involve other teams, such as Legal and HR. Unfortunately, the lack of configurable access controls in most IRPs make this a difficult task, and responders often have to rely on email, Excel, and SharePoint to coordinate with these groups. This needlessly manual step can result in increased remediation times, compliance violations, and audit trail problems.

For this purpose, D3 offers highly granular access controls. Every user gets access to exactly the level of data that they are authorized to see. Temporary users, such as the HR team, can be granted provisional access to subsets of data that they need to review or approve—such as for the retention of employee data. All access is logged in an audit trail, for provable chain-of-custody during an audit or legal proceedings. Strong access controls also minimize the risk of data breaches, because fewer people have access to sensitive data.

Reporting

Reporting is another important aspect of incident response that is overlooked by most vendors. Reporting and metrics provide visibility into processes and outcomes, and are the best way to communicate the activities of the SOC to senior leadership and other stakeholders. D3 allows you to report on almost any data in the system in easily understood visual presentations. We also give you access to metrics like the number of incidents in a timeframe, average response times, time spent on specific response phases, and employee performance. These can be compared against benchmarks and historical averages to give you actionable information about where you’re doing well and where you can improve.

D3 + Splunk

The bottom line is that D3 provides the automation and orchestration features you need to speed contextualization and response, PLUS the incident/case management workflow required for in-depth investigations, data profiling, compliance reporting, and root cause analysis. Combined with the industry’s most robust access controls, these are the reasons why D3 is the ideal incident response solution for organizations with Splunk Enterprise Security. If you’re going to be at .conf2017: The 8th Annual Splunk Conference, come see us at Booth M8. We’ll show you the features we’ve discussed in this post, and answer any questions you might have.

If you aren’t at the conference, check out our brand-new whitepaper, co-produced with the Chertoff Group, which further describes how D3 can work alongside your SIEM in a next-generation threat management infrastructure that includes automation and incident/case management.

Stan Engelbrecht

Stan Engelbrecht

Stan is the director of D3’s cybersecurity practice and an accredited CISSP. Stan is involved throughout the product delivery and customer success lifecycle, and takes particular interest in working with customers to configure organization- and industry-tailored solutions. You can find Stan speaking about cybersecurity issues at conferences, in the media, and as the chapter president for a security special interest group.


Comments

Add a comment:

email

username

url

your comment

Your comment will be revised by the site if needed.