By integrating D3 Smart SOAR (Security Orchestration, Automation, and Response) with Stellar Cyber Open XDR, organizations can create a seamless incident response workflow that minimizes time to contain and enables better decision-making. This article outlines how the integration works and how it can be complemented by other remediation tools.
“Combining Stellar Cyber’s Open XDR capabilities with Smart SOAR’s automated response creates an end-to-end incident response environment where analyst teams can successfully manage the firehose of alerts they’re facing,” said Andrew Homer, Vice President of Strategic Alliances at Stellar Cyber.
Fetching and Managing Events and Incidents
Smart SOAR can automate the initial response steps by fetching events and incidents directly from Stellar Cyber via the API. The ‘Fetch Event’ and ‘Get Event Details’ functions within Smart SOAR retrieve raw events and specific details about those events. This is crucial for rapid threat detection.
Moreover, the ‘Fetch Incident’ and ‘Search Incidents’ API calls enable Smart SOAR to pull existing incident reports from Stellar Cyber, which can then be managed and tracked through Smart SOAR. This ensures that the incident response process is comprehensive and that no critical incident is overlooked.
Updating and Synchronizing Data
As Smart SOAR takes action on these events and incidents, it’s essential to maintain consistency between the systems. The ‘Update Events’ and ‘Update Incidents’ capabilities facilitate this by allowing Smart SOAR to push status changes and updates back to Stellar Cyber. This synchronization ensures that analysts working directly in Stellar Cyber are always up-to-date with the latest incident data and response activities.
Enrichment and Remediation
Upon ingesting events from Stellar Cyber, Smart SOAR can then leverage its integration capabilities with other tools to enrich the event data. Enrichment might involve pulling threat intelligence from external databases, running vulnerability scans, or using sandbox technology to analyze the threat’s behavior in a controlled environment.
Once the event is enriched and an incident is confirmed, Smart SOAR can orchestrate remediation actions. This could range from simple actions like blocking an IP address on a firewall to more complex responses like isolating a compromised endpoint from the network or deploying patches to vulnerable systems.
Complementary Tools for a Robust Workflow
To complement the automated workflow between Smart SOAR and Stellar Cyber, organizations can integrate a variety of other security tools:
- Endpoint Detection and Response (EDR): Tools like CrowdStrike or SentinelOne can be used for further investigation and to take direct remediation actions on endpoints.
- Threat Intelligence Platforms: Integrating with platforms such as ThreatConnect or Anomali can provide deeper insights into the indicators of compromise associated with the incident.
- Network Security: Tools like Palo Alto Networks firewalls can be used to implement network-based blocks or restrictions in response to a detected threat.
- Identity and Access Management (IAM): Solutions such as Okta can be leveraged to revoke access or change authentication requirements for compromised accounts.
Closing Thoughts
The integration of D3 Smart SOAR with Stellar Cyber represents a powerful combination for incident response automation. By automating the ingestion, enrichment, and remediation of incidents and ensuring that this information is synchronized back to Stellar Cyber, organizations can create a robust incident response process that is both efficient and effective. Further complementing this workflow with additional security tools enables a layered defense strategy that can significantly improve an organization’s ability to respond to and recover from security incidents.