In a security operation center (SOC), analysts are often categorized into four tiers, each with different roles and responsibilities. The definition of each tier varies a bit, depending on who you ask, but a generally accepted description of a Tier 1 analyst would be someone who monitors alerts from security tools, validates true positives, conducts triage, and escalates alerts to Tier 2 analysts when further investigation is required.
Many security orchestration, automation, and response (SOAR) platforms do a good job of supporting Tier 1 analysts by automating basic alert enrichment and response tasks. D3 excels at those areas too, but what sets D3 SOAR apart is its ability to support the more complex requirements of Tier 2,3, and 4 analysts. This is because of D3’s unique capabilities that go beyond immediate triage and response, including its case management features and embedded MITRE ATT&CK framework.
ATT&CK is a kill chain framework that catalogues the tactics and techniques an adversary is likely to use during a cyber attack. Unlike other kill chains, ATT&CK includes hundreds of specific techniques that are drawn from thousands of real-world incidents. With D3, analysts can extract the techniques implicated in an alert and use that information to correlate potential traces of the same attack based on what those techniques reveal about the adversary’s intentions. D3 is the first SOAR provider to build the entire MITRE ATT&CK matrix into its platform, which is especially valuable for higher-tier analysts.
In this article, we’ll describe each tier of SOC analyst and explain how D3 helps them do their jobs easily and effectively.
Tier 2 analysts receive incidents that are escalated manually by a Tier 1 analyst or automatically based on SIEM or SOAR criteria. They perform deeper analysis and investigation, determine the nature of the attack and attacker, and develop the strategy for response.
D3 is a perfect solution for Tier 2 analysts because it has the case management features to support complex investigations. These features include collaborative case files where analysts can share notes and group together related incidents, guided investigations that enforce best practices, and a visual link analysis dashboard that illuminates the connections between incidents and entities.
D3’s MITRE ATT&CK kill chain discovery feature is also invaluable for Tier 2 analysts because it helps them pinpoint who the adversary is, what their intentions are, and what the nature of the attack is—including what the adversary is likely to do next.
Tier 3 analysts generally handle proactive tasks like threat hunting, vulnerability assessments, and staying informed about the latest research and best practices in the security industry. A Tier 3 analyst might also work on the response to serious incidents when necessary.
D3 integrates threat intelligence sources to ensure Tier 3 analysts always have up-to-date information, and so their learning can be easily standardized in processes via D3’s configurable playbooks. Tier 3 analysts can also quickly implement changes across monitoring tools with D3’s orchestration capabilities.
MITRE ATT&CK discovery enables Tier 3 analysts to conduct proactive searches for undiscovered attacks, because the tool can correlate seemingly innocuous events to reveal the kill chain of an attack that would otherwise go undetected.
Tier 4 analysts aren’t so much analysts as they are managers. They oversee SOC operations, oversee other analysts, and only get involved in the response to extremely serious incidents. They also might act as the liaison to other teams, such as Compliance/Audit and senior leadership.
D3 makes Tier 4 analysts’ lives easier because it has the most robust reporting and metrics on the market. Tier 4 analysts can use D3 to generate reports on virtually any data in the system, including performance metrics like mean time to resolution, open/closed tickets for each analyst, and percentage of response times that exceed benchmarks.
These reports aren’t just useful for managing a SOC. They also make it easy to demonstrate ROI to senior leadership and assemble the data required by Compliance/Audit teams.
D3 is the Only SOAR Platform that Supports the Entire SOC
As you’ve read, D3’s deep feature set makes it uniquely capable of supporting every SOC analyst, from Tier 1 to 4. In fact, D3’s ability to perform advanced processes is so valuable that some organizations that have already invested in another SOAR platform have added D3 for escalation of alerts that their existing platform can’t handle. For this reason, D3 is able to integrate with other SOAR and IR platforms to ingest incident data, just as it would from a SIEM, firewall, or other security tool.
To learn more about D3’s SOAR platform, join our weekly 25-minute web demo and see D3 technology in action.