How to Turn the Lessons of Elite SpecOps into Elite SecOps

We recently published a new whitepaper titled, How the Principles of the Navy SEALs Can Improve Your Use of SOAR, which you can download here. In the whitepaper, we break down four components of the ethos that allows the Navy SEALs to achieve their goals at a level that is virtually unmatched by any other group. Then, we investigate how those principles could be applied to security operations through SOAR, enabling security teams to function closer to the level of the SEALs.

In this blog post, we’ll look at those same principles from a different perspective. Specifically, we’ll go more in-depth on how the technology of D3 NextGen SOAR enables the implementation of the SEALs’ principles—and what makes our technology different than most of the other SOAR tools on the market.


Principle #1: Discipline and Innovation

What it means to the SEALs: Standardizing all routine tasks in order to free up capacity for on-the-fly decision-making when necessary.

What it means in SOAR: Automation-powered playbooks that standardize common procedures, but still have the space for human analysts to apply their creativity and analytic skills at key points.

How D3 NextGen SOAR does it: Standardizing routine tasks is table stakes for a SOAR tool, but D3 makes it easy to build, test, and edit playbooks from a single-screen, codeless playbook editor. Making the playbook building process seamless means that D3 users actually have the time to codify their SOPs in playbooks, instead of relying on out-of-the-box options.

D3 also supports workflow complexity at a level that is not matched by most competitors. D3 playbooks support looping, parallel tasks, and, most importantly for implementing this principle, dynamic interaction tasks. This enables users to make manual inputs during an automation-driven playbook. This is not supported in all SOAR platforms, especially in tools that are designed as automation engines, not full incident response orchestration solutions.

D3 strikes the right balance between giving the user paths they can follow and affording them maximum agility. For a great example of the innovation that an expert operator can bring to D3 NextGen SOAR, read our 10X Case Study.


Principle #2: Prioritize and Execute

What it means to the SEALs: Assessing information, determining the most important objectives, and communicating priorities across the team.

What it means in SOAR: Alert queueing, risk scoring, threat intelligence integrations, and collaboration features.

How D3 NextGen SOAR does it: D3 enriches incoming alerts with threat intelligence and data from past incidents to generate risk scores and place alerts in a prioritized queue for analysts. The parameters for the queue can be customized, based on criteria like the involvement of a critical asset in the alert.

Importantly, D3’s status as the leading independent SOAR vendor enables it to maintain vendor-agnostic integrations, including with threat intelligence sources. Instead of getting locked in with a single vendor, D3 users get aggregated threat intelligence from as many sources as they choose to integrate with.

You can’t execute on your priorities without communication, so D3 has a ton of collaboration features. These include automated notifications to stakeholders built into playbooks, bidirectional integrations with ticketing tools, detailed reporting capabilities, and space for investigators to collaborate on complex incidents and cases.

For an example of how D3 works with threat intelligence providers, check out our ZeroFOX Integration Guide.


Principle #3: Plan for the Maximum Number of Scenarios

What it means to the SEALs: Precise planning with as many contingencies as possible. Using practice runs to test plans and eliminate variables.

What it means in SOAR: A robust playbook library, a broad set of integrations, and playbook testing and editing.

How D3 NextGen SOAR does it: Implementing this principle starts with an out-of-the-box library of playbooks that can adapt to changing information during the workflow. However, this isn’t sufficient unless the tool includes an efficient way to build and test new playbooks. That’s why D3 has a fully codeless playbook editor, so users can build workflows without needing to write their own Python scripts. And where other tools will have you switching between screens to test playbooks and troubleshoot errors, D3 can do it all from the playbook editor.

We previously mentioned D3’s vendor-agnostic integrations, which are also important for implementing this principle. D3 can maintain fully featured and up-to-date integrations with tools made by any vendor, and the REST API agent makes it easy to build those integrations into playbooks. This allows teams to plan for the maximum number of scenarios, because they have the most possible options for integration.

D3 also takes planning to the next level by integrating with AttackIQ to automate simulations of specific attack types. You can read more about that in our AttackIQ Integration Guide.


Principle #4: Default: Aggressive

What it means to the SEALs: Proactively pursuing opportunities to complete the mission without needing top-down approval for every decision.

What it means in SOAR: Taking a proactive stance through threat hunting and assessment of the most likely attack types.

How D3 NextGen SOAR does it: D3 enables you to orchestrate threat hunting across your entire environment, via hundreds of integrations. Threat hunting playbooks can be automated and scheduled, or triggered ad hoc to search for the indicators of attack (IOAs) detected in an event. IOAs and TTPs can also be placed under ongoing surveillance, so you’re automatically alerted when they’re implicated in an event.

D3’s MITRE ATT&CK Monitor Dashboard also supports proactive security operations by showing you the number of times each ATT&CK technique has been detected. This allows you to anticipate trends, identify root causes, and pre-emptively allocate resources.

Read our TTP-Based Threat Hunting solution guide for more detail on how D3 NextGen SOAR uniquely combines MITRE ATT&CK, threat hunting, and security orchestration.


Read the Whitepaper and Put the Principles of the Navy SEALs into Action

For more on how to turn the principles of SpecOps into effective SecOps, read our new whitepaper, How the Principles of the Navy SEALs Can Improve Your Use of SOAR. In the paper, we describe each Navy SEAL principle in more detail, as well as the strategies for implementation.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.