Cloud security is becoming an increasingly important aspect of organizations’ overall security posture, but cloud security tools don’t always fit seamlessly with locally hosted security stacks. As SOAR moves into its next generation, it needs to be the solution that unites cloud and locally hosted security tools and allows organizations to protect the entirety of their assets with the best possible tools—no matter where their systems are hosted.
To achieve these goals, D3 has joined forces with several of the best vendors in the space, including Datadog, Microsoft Azure, Sumologic, and Amazon Web Services (AWS). Our integrations with these cloud vendors enables us to bring automation and orchestration to advanced use cases in order to combat sophisticated cyber threats.
These days, even the most old-fashioned organizations use some cloud-based systems, but most still host other systems locally. This can create complications for security teams that have to manage two separate toolsets that don’t always work together. For organizations that have some cloud assets, but also some on-premise assets, D3 can sit between both environments, aggregating alerts and orchestrating responses across on-prem and cloud stacks.
Instead of having separate tools for incident response in the cloud, D3 can integrate with Azure Sentinel, Sumologic, and other cloud SIEMs, as well as every major on-premise SIEM, so that there is a single system of record for security incidents. This allows the SOC to easily track cyberattacks that move across cloud and local assets, and respond holistically.
Connecting D3 SOAR to cloud security and monitoring tools, like those from Datadog and AWS, enables a new set of use cases that have typically been difficult to automate. Take for example, a cryptojacking incident, where an adversary hijacks a machine to use its bandwidth to mine for Bitcoin.
Datadog Application Performance Management can detect the symptoms of a hijacked machine in a cloud environment, but lacks the tools to investigate and coordinate a response if the incident is confirmed. Through the integration with D3 SOAR, the event can be escalated, enriched, and analyzed. If confirmed, D3 triggers a cryptojacking-specific playbook that coordinates the response across cloud tools, on-premise tools, and affected employees.
D3 can also automate cryptojacking response in an AWS environment. In this scenario, a bitcoin warning event would be detected in AWS Security Hub via AWS Guard Duty. D3 would then ingest the event, enrich it with intelligence, correlate across other events and incidents, and trigger a remediation playbook. The enrichment and analysis would leverage D3’s AWS EC2 integration to gather the EC2 instance details, take a snapshot of the volume, and get current security group details.
Cloud security tools like Sentinel have some basic SOAR features, which lead some cloud security teams to settle for “good enough” instead of integrating with a third-party SOAR platform. However, because D3 integrates seamlessly into the Azure stack and other cloud environments, organizations can benefit from the true depth of SOAR features without compromising ease of use. In fact, D3 SOAR fits into the Azure stack so well that D3 been added to the Microsoft Intelligent Security Alliance (MISA) on the strength of its integrations.
If you’re interested in learning more about D3’s cloud security integrations, check out our blog post Three Reasons to Get Excited About D3’s Partnership with Datadog or our Azure Sentinel Integration Guide.
Or, if you’re ready to see D3 NextGen SOAR in action, schedule a demo today.