There are immediate benefits to simply having visual representations of your response plans. Incident response is complex. It often requires involvement from several internal groups, and by its nature, tends to be needed most during crises or other chaotic situations. Having visual playbooks helps you to sidestep the “fog of war” effect, such that you can understand your processes at a glance, and adapt on the fly as necessary.
Visual playbooks also create lasting value. They can be saved, shared, exported, and edited, and their graphical layout makes them easy to understand. Saving playbooks makes it easy to replicate successful responses by using them as templates. Junior analysts can use visual playbooks to learn from and leverage the experience of senior colleagues. Sharing and exporting playbooks to formats like Powerpoint is also valuable for training, documentation, and post-event review.
D3’s Visual Playbook Editor gives you all these advantages and many more. In this post we’ll take a detailed look at the features of our playbook editor that can help you plan and execute fast, conclusive, and replicable incident response.
D3’s Visual Playbook Editor doesn’t just show you your playbooks, it allows you to add, remove, and edit actions as you see fit—even during an incident response. Within the drag-and-drop visual editor, you can easily place actions anywhere within the workflow, drawing from a library of saved actions.
You can also create new actions on the fly and add them in. This gives you the agility to take on zero-day threats, respond to a change in regulations, or immediately integrate the latest threat intelligence into your plan.
For example, you may have a ransomware playbook that dictates that all affected machines be turned off. However, during a particular attack, you might learn from new threat intelligence that the ransomware strain is set to permanently delete all files if you try to turn off your machines. In this case, dynamic editing is especially valuable, because it allows you to change the playbook on the fly to make sure that the affected machines are not turned off, and to notify your team of the change.
The actions that you can add to your playbooks aren’t limited to simple manual steps. D3’s automation features can be leveraged at any point in the process from within the editor. You can add automated actions—such as lookups to DomainTools, MaxMind, VirusTotal, and other sources of contextual data—or write your own custom scripts in Java, Python, or another language. Automation can also be configured to run every time, or to wait for approvals from the analyst or manager.
Another great feature of the Visual Playbook Editor is how it can be configured to react intelligently to changing situations. D3’s editor gives you the ability to add a Wait State, which delays triggering an action until specific pre-conditions have been met. Pre-conditions might include the gathering of contextual data or reaching a certain response phase. For example, a notification could be sent to non-security teams when the response moves from the Containment phase to the Post-Event Reporting phase.
Based on your criteria weighting, D3 can determine a risk score for actions in the workflow. That score can also be used as a threshold to determine further actions or non-actions.
As we’ve described, the Visual Playbook Editor is a valuable tool for any incident response team that wants to be better prepared for a crisis, but also able to adapt on the fly as situations develop. That said, it’s just one of the tools we offer. D3 delivers full-lifecycle incident response solutions. That means, unlike other vendors in the space, we offer automation and orchestration, case management, and incident response, all in one centralized platform.
100+ of the Fortune 500 already use D3 to mitigate threats against their business. To find our more, schedule a demo today.