Nearly all security operations centers (SOCs) with SOAR have learned that their playbooks and integrations require more maintenance than expected. That’s because SOAR playbooks must be manually updated, often using Python, whenever a data source or integration point changes. If your SOC has dozens of tools and playbooks, something as mundane as a software update can create hours of manual work for your SOC analysts–draining human resources and creating an opportunity for your adversaries.
The solution to this problem is to go codeless. Unlike all the “SOAR 1.0” tools, D3’s next-generation SOAR solution abstracts all of the Python coding away, so that SOC analysts can manage playbook lifecycles with only a few clicks. With D3, there is no coding required, whether building a workflow for the newest ransomware, switching endpoint security tools, updating SIEM versions, or adding a new source of threat intelligence. With a few clicks you can make adjustments and scale changes across all of your playbooks and sites.
We made a short video that illustrates how simple it is to manage playbooks and integrations with our codeless editor. And in the article below we’ve expanded on the video to demonstrate how the Codeless Playbook Editor works and what it means for you, through a few common SOC use cases.
Building a SOAR Playbook
In the video, we show you how quick and easy it is to build playbooks using D3’s codeless editor. We walk you through adding a command task to get a URL report from VirusTotal, automatically parsing the incoming data fields, blocking the URL in a Palo Alto firewall, and publishing the playbook to relevant sites—such as SOC layers or, in the case of an MSSP, client sites.
All this can be done without any coding, even if you need to change the tools to which you’re connecting. It works because D3 has scripted its 260+ out-of-the-box integrations in the back end, so the user never has to write or edit a Python script to make an integration work. Custom integrations are almost as easy, simply requiring the user to enter the server URL and API credentials to set up an automated action for a new tool.
Changing Integrations and Data Sources
Other tools generally offer some pre-scripted integrations, but quickly get complicated when you need to go beyond what is available out of the box. This can result in a lot of time spent scripting to keep all your playbooks functional, especially when you need to change a tool or update an integration. Even if you have the expertise on your team, is this really how you want your people spending their precious hours?
For example, when using most SOAR platforms, if you change your firewall to a different product, you would need to rescript all your playbook actions that involve firewalls. Because firewalls are critical security tools, this will probably encompass many actions across many playbooks. In D3, the process simply requires you to select the new firewall from the drop-down menu and place it in the playbook. As you can see in the video, it only takes a few seconds.
Saving SOC Time and Resources
Codeless integrations make D3 the only truly drag-and-drop playbook editor on the market. For our clients, this means effective playbooks are simple to configure, quick to get up and running, and easy to adapt and improve over time. This reduces the up-front investment of resources required for a successful SOAR project, but perhaps more importantly, it also reduces the ongoing time and money that clients spend on SOAR. Maintenance is often overlooked as a driver of hidden costs and complications in SOAR projects, so D3’s codeless playbooks can be a significant cost-saver, while keeping your SOAR platform functioning effectively.
The D3 team will be demoing our SOAR platform at RSA Conference 2020, from February 24-27 in San Francisco. Come visit us at Booth #N6340 to see our Codeless Playbook Editor in action, along with other exciting new features like our embedded MITRE ATT&CK Matrix.
