How MITRE ATT&CK Enhances Gartner’s Value Categories of SOAR Solutions

Toward the end of 2018, Gartner published its Emerging Technology Analysis of SOAR solutions (Ahm, December 7, 2018). In this piece, the author laid out three “value categories” for SOAR that represent the different varieties of value of which all SOAR solutions offer some combination.

In the year since this analysis was published, we have reimagined our SOAR platform to leverage the MITRE ATT&CK framework. In this article we’ll revisit those value categories from Gartner’s analysis, the key technology features that Gartner says support the value, and explore how our integration of MITRE ATT&CK enhances our offering in each category.


Value Category 1: Enhance SIEM Management

Gartner’s analysis says the key technology features supporting this value are:

  • Simplified (or abstracted) scripting, allowing for customer-side automation of SIEM functions
  • Enrichment of SIEM events, making them easier to investigate or close

ATT&CK turns the deluge of data that a SIEM generates into defined TTPs, making it one of the most effective model for making sense out of SIEM events. However, without the right tools, correlating SIEM events against ATT&CK is extremely labor-intensive.

With D3, you can automate the correlation process, and enrich every SIEM event with all its potential ATT&CK TTPs. D3 places these enriched SIEM events in the context of a larger kill chain based on ATT&CK, and enriches them further by correlating IOCs (also known as artifacts) against other events to find more related TTPs. To find these additional correlations, D3 can run automated queries back into the SIEM to pull historical data. Orchestrating these processes with D3 makes the bulk of the investigation automatic, and the data it uncovers makes SIEM events much easier to close.


Value Category 2: Create a Better Investigation Platform

Gartner’s analysis says the key technology features supporting this value are:

  • System intelligence beyond the created playbooks that aid in better incident investigation and management
  • The ability to relate incidents across very wide data sources, including non-SIEM data sources
  • The ability to provide a decision support system that helps with critical items

ATT&CK can be used to provide the broad intelligence and decision support that Gartner is pointing to in a few ways. ATT&CK’s criteria for defining techniques bring MITRE’s deep knowledgebase of attack intelligence into your investigations. With the right tools in place, you can use the ATT&CK framework to form conclusions based on event data from across disparate sources, such as a SIEM, endpoint protection system, and email protection system. The kill chain structure of ATT&CK can be leveraged for decision support because of how it can indicate what the attacker might do next.

D3 SOAR makes it easy to implement all these benefits of ATT&CK into your security operations. D3 automatically correlates events against ATT&CK TTPs, which brings that broad intelligence onto your dashboard with no manual work required. D3 also orchestrates across broad data sources to pull the data needed to fill in gaps in the analysis of the events, such as further indications of related attack techniques. All this data is laid out in the ATT&CK matrix, which gives analysts a kill chain view of the larger incident, with which to make informed decisions.


Value Category 3: Optimize the Security Team and Program Management

Gartner’s analysis says the key technology features supporting this value are:

  • Manager dashboard on key team operations and programwide metrics
  • Use of machine learning or other automated analysis methods on the operations that can highlight systemic, process or people problems that would lead to program betterment

Using ATT&CK to categorize events is an effective, standardized way to assess SOC performance and identify blind spots. Because ATT&CK’s tactics represent the stages of an incident, you can use high levels of certain techniques to assess root causes in your security. For example, if you are detecting many cases of lateral movement, there are likely some weaknesses around earlier stages like initial access or execution.

D3 supports this value with its Monitor dashboard, an overview of all events coming into D3, automatically mapped across the ATT&CK matrix. Security managers can use this dashboard to assess company-wide threats and performance. By categorizing the TTPs of every event, you can see what is successfully being prevented, what is not being addressed, and where the obvious steps for improvement are.

 To learn more about how D3 has integrated MITRE into its SOAR platform to provide even more value to clients, check out our new product guide.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.