- SOAR 101
We are proud to announce the release of our most ambitious and innovative project yet: D3 SOAR 2.0. While it may be a bold claim to make, we truly see this new release as pushing the SOAR market forward with both improvements to previous capabilities and entirely new capabilities that no other platform offers. In this article, we will describe all the highlights of the new platform.
Before we get to all the features, here are what we see as the three most important takeaways for our current and future clients:
If you want to see the platform in action, schedule a one-on-one demo with our product experts today.
More than 200 Out-of-the-Box Integrations
D3 SOAR 2.0 supports more than 200 out-of-the-box integrations with cybersecurity tools such as SIEMs, Endpoint Detection and Protection, Threat Intelligence, Network Security, and ITSM. Clients’ SOC engineers can set up their preferred cybersecurity tools in a centralized place to connect with D3 SOAR. The D3 Data Model allows SOC teams to seamlessly digest, normalize, and transform raw event data, and set predefined mappings to D3 from a multitude of cyber event sources.
Codeless Playbook Editor
D3’s Codeless Playbook Editor allows SOC teams to easily modify D3’s out-of-the-box playbooks and set up complex workflow logic. The flexible nature of the Playbook Editor enables organizations to meet their unique incident response requirements. The workflow is visually mapped to allow SOC teams to contextually configure the orchestration and automation of tasks. This allows D3 to support the continuous interaction between the analyst, information sources, and action receivers.
Playbook Tasks offered in our SOAR 2.0 platform include:
Time-Based Link Analysis
Link Analysis provides a visual representation of the relationship between incidents, artifacts, and techniques. It allows the analyst to gain a comprehensive view of what has happened, and easily identify any correlated components like TTPs used by the adversary.
One main benefit of Link Analysis is that the analyst can understand the relationships between artifacts and events without having to read pages of reports. The on-screen visual also allows them to spot attacks where traditional detection methods fail to provide adequate information.
Time-Based Link Analysis highlights include:
Automated Event & Artifact Enrichment
D3 automatically enriches Events and Artifacts through a variety of threat intelligence platforms, the client’s local systems, and D3’s database. This enables the analyst to quickly obtain additional information, such as the artifact’s reputation, to facilitate the investigation and incident response.
Enrichment highlights include:
Simplified Event Correlation & Deduplication
D3 SOAR 2.0 automatically correlates events and incidents from local and external data sources. Examples of these external data sources include SIEM, email servers, Endpoint Detection and Protection, and Network Security.
The event deduplication process performed by the system ensures duplicate events are identified and subsequently grouped into a new incident or linked to an existing incident.
This substantially accelerates the analyst’s process of monitoring large volumes of security alerts by intelligently showing correlated events so that the analyst can remove false positives in bulk.
Granular Access Control
D3 SOAR 2.0 introduces stage-based access controls at the playbook and incident level. The incident owner is provided with the flexibility to customize privileges, workflows, and auto assignments of investigators based on the incident stage.
In addition, D3 offers granular access control at the user, role, group, and site level. The SOC Team can restrict what information is visible in the event, incident, and playbook. This control can be extended to user privileges when performing certain actions, such as editing an incident description.
Group level controls allow the SOC team to be logically separated based on the needs of the department. This separation of the application helps streamline processes for the department and controls the types of information each team member can access.
Site level controls allow large corporations to set up individual environments for their unique organizational structures and requirements.
D3 SOAR 2.0 has been designed to support granular access control, centralized account management and cloud big data use-cases for MSSP clients and cloud big data multitenancy.
D3’s distributed architecture and cross-site Single-Sign-On allows MSSPs’ new clients to be onboarded within a few minutes with access-controlled visibility and isolated databases. Incident response playbooks can be established, standardized, and automated for each client. Customizable SLAs can be incorporated to increase service delivery and build customer trust.
D3 enables MSSPs to collaborate with clients in a unified workspace for incident investigation. MSSPs can perform data enrichment and remediation activities in client-specific playbooks directly on the client network with secure remote connection for streamlined managed service operations and real-time data visibility.
D3 supports cloud big data multitenancy through the ability to connect to big data services like Microsoft Azure and Amazon AWS. D3 ingests events and feeds them into D3’s multitenancy pipeline. This provides physical and logical separation, and access control-based data centralization and sharing. Privileged users can easily maneuver across physical and logical separations.
Advanced Reporting & Analysis
The Reporting & Analytics dashboard provides a space for SOC managers or executives to review operational KPls.
Key metrics are provided out-of-the-box to help track the organization’s security posture and the SOC team’s performance. These features include the ability to:
Below is an example of how the SOC Team would typically respond to a phishing email campaign using D3 SOAR 2.0: