We’re thrilled to announce that we will be presenting our NextGen SOAR platform at the Microsoft booth (#2340) at Black Hat USA 2022. On Thursday the 11th at 1 PM PST, D3 Security’s Tom Byrne will demonstrate how to enhance security incident response by leveraging NextGen SOAR’s deep integrations with Microsoft products like Defender for Endpoint, Azure Sentinel, Office 365, and Azure Active Directory, to name a few. We’ll also be showing how D3’s Event Pipeline dramatically improves the lives of security operations center (SOC) analysts by ensuring that only genuine threats are investigated. It’s important because SOC analysts struggle to triage overwhelming numbers of security alerts, and this persistent SecOps pain point inevitably leads to bad outcomes for cyber security blue teams.
D3 Security’s NextGen SOAR has revolutionized incident response by providing actionable and meaningful alerts to SOC analysts, and streamlining incident response down to seconds or minutes, instead of hours or days. NextGen SOAR provides visibility across your entire enterprise—including apps, networks, endpoints, cloud services, and more. As Microsoft Defender for Endpoint grows in popularity, we have developed a robust integration (as well as with other leading endpoint detection and response tools) to help orchestrate investigation and remediation workflows across the tech stack. We’ll be showing how to monitor attacker techniques used by real-world adversaries that Microsoft Defender has been detecting in the wild.
If you’re going to be there at Black Hat 2022, here’s what you can expect (content below), and if you can, dive deeper by downloading our integration guide.
How D3’s Event Pipeline Helps Microsoft Customers Filter Out the Noise
One of the major innovations D3 Security brings to the table is the Event Pipeline, our global event playbook. It essentially brings hyperautomation capabilities to your SOC. Instead of playing whack-a-mole with security alerts and manually dealing with false positives, the Event Pipeline automatically identifies and removes the false positives, leaving only real incidents for your incident responders. Let’s look at how NextGen SOAR ingests and analyzes Microsoft Azure Sentinel events.
- As the alert data flows into NextGen SOAR, it is first normalized to make it available for search and processing. Relevant metadata such as IP addresses and URLs are extracted, along with any other artifacts.
- Next the pipeline performs deduplication and correlation of the event, enriching it with any available threat intelligence sources to determine risk. MITRE ATT&CK tactic, technique, and procedure (TTP) labels are applied if available.
- If the Microsoft Sentinel event meets criteria such as a high-risk score from threat intelligence platforms or the presence of key assets in the artifacts, it is escalated and assigned to an analyst. If no risk is found, it is dismissed as a false positive.
By using D3’s Event Pipeline to filter Azure Sentinel alerts, 90 percent or more of alerts can be safely filtered out before human analysts are required to investigate them.
33 Microsoft Integrations and Counting…
As a Microsoft Intelligent Security Association (MISA) member, NextGen SOAR integrations span across the Microsoft ecosystem, with 23 integrations on the Azure cloud platform alone. Other notable integrations with Microsoft include Microsoft Teams, Exchange Web Services, Office 365 (O365), Active Directory, and Microsoft Defender for Endpoint, to name a few. Let’s explore some of these integrations in detail.
Email is the leading attack vector that adversaries use to gain a foothold in an organization. It’s estimated that 3 billion phishing emails are sent daily, and in spite of their ubiquity, they are hugely effective. 74% of organizations in the U.S. have fallen victim to phishing attacks, according to Proofpoint’s 2021 State of the Phish Report.
NextGen SOAR shines when it comes to dealing with attacks at scale. With our MS Office 365 integration, D3 can automate the process of retrieving potential phishing emails, parse out the artifacts, checking their reputation against threat intelligence and past incidents, and determining if the email is a genuine threat. If it is, we can then find other instances of these emails across your company’s inboxes.
Microsoft Defender for Endpoint
Microsoft Defender users can perform 27 different actions using D3, including running advanced hunting queries, fetching related events, and quarantining files and hosts. These actions can be fully automated as a part of an incident response playbook to shut down any threats before they cause any damage.
Collaboration and communication between teams is essential for speedy and effective incident response. Companies that use Microsoft Teams can use NextGen SOAR to orchestrate 16 commands, such as adding members to a team, creating teams, sending messages to a specific channel, getting message replies, and more.
Azure Active Directory
Our integration with Azure AD (and on-premises AD) enables companies to enrich security incidents with user and group information, manage users and groups from D3, and quickly orchestrate remediation actions like forcing a password reset or revoking a sign-in session.
D3’s Microsoft Integrations Also Save Time and Money for MSSPs
As a managed security service provider (MSSP), protecting your clients’ networks and data has never been more challenging. Cybersecurity managed services teams face many of the same issues as enterprise SOC teams, but with the added complexity of supporting multiple customers. MSSPs are not always given direct access to all their client’s tools, and they may prefer to become an expert at one tool rather than build expertise in the myriad tools used by their client base. This is where Microsoft and D3’s partnership is helpful – it helps MSSPs secure their customers from a single interface.
Our deep integrations with Microsoft products enable MSSPs to automate and orchestrate response actions across multiple portions of Microsoft’s security stack. This can help them process and remediate alerts faster and more frequently, without direct access to a client’s tools. And the Event Pipeline allows MSSPs to scale operations without hiring additional people to monitor and triage alerts.
Giveaway: Laptop Bags For Black Hat Attendees
Pre-register for D3’s session and take home this sweet laptop bag that has room for a laptop, plus plenty of swag that you might find at the event. We’re giving away 25 of these on a first-come-first-serve basis, so don’t waste any time and sign up right away.
Can’t Make It to Black Hat 2022?
Black Hat USA 2022 isn’t the only time where you can see NextGen SOAR in action. We have a bunch of on-demand webinars to get you started. And if you have any questions, join us at our next product demo to explore and discuss NextGen SOAR’s extensive feature set ranging from our 500+ integrations, codeless playbooks, reporting, case management, to operationalizing MITRE ATT&CK. Let us show you what our SOAR platform can do for you! Register for your seat here.