A SOC team at an MDR investigates an alert.

We Implemented Smart SOAR at a Giant MDR Provider. Here’s What We Learned

One of D3’s biggest recent implementations was our SOAR deployment at a global MDR vendor with thousands of customers worldwide. We even wrote a case study about it, highlighting how this MDR provider needed to upgrade its SOAR platform to keep pace with its growth and advanced technical requirements. D3’s Smart SOAR now powers a critical piece of its MDR and managed XDR service offerings, supporting thousands of customers around the world.

It was a special win for us as we were able to fulfill 100% of their requirements (and eventually win the contract) following the proof of concept (POC)  process, which assessed SOAR vendors on more than 30 different criteria, including:

    • Ease of Use: Can the analyst triage kill-chain investigations in SOAR with minimal training?
    • Ease of customization (playbook/automation): Can a non-technical analyst successfully create their own SOAR playbook?
    • Integration Troubleshooting: Intentionally introducing an error in the integration logic to see how it affects the system’s performance and its ability to monitor such errors.
    • Playbook Troubleshooting: Ability to test and debug playbooks before going live.
    • API Integrations: Ability to pull incidents, query with filters, etc.
    • MITRE ATT&CK categorization: Compare MITRE ATT&CK categorization with incident root cause.
    • Incident grouping: Group incidents based on common characteristics like connections, files, machines, and processes.
    • Track SOC Metrics: TTT (Time to Triage, TTR (Time to Remediation), TTE (Time to Escalate), etc.

These aren’t just checkboxes that D3’s Smart SOAR ticked, but areas where it proved its superiority against other SOAR tools. By the end of the POC, it was clear that only D3 met the hyper-scalability needs of the MDR provider. During the implementation phase, D3 was able to address and fix the MDR’s performance issues at scale, data ingestion failures, lack of multitenancy, and minimal support that led the MDR provider to replace its previous SOAR vendor. Post-implementation, the MDR provider launched a managed XDR service using Smart SOAR and began using D3’s auto-onboarding system for new customers. The MDR provider also uses D3’s embedded MITRE ATT&CK matrix in its services.

We recently caught up with two of our D3 colleagues who were closely involved in the project, Senior Product Manager Brian Tse and Senior Cyber Security System Engineer Hong He, to walk us through the process of implementing SOAR at the MDR provider, and the key learnings from the project. Here’s what they had to say: 

Multi-Tenancy Is a Critical Capability for MDRs

The MDR had over a thousand clients spread across three regions: North America (Canada, US),  EMEA (Europe, Middle East, and Africa), and APAC (Asia-Pacific). Their previous SOAR tool could not segregate customer data and operations, so it was feeding all their data into a single instance on one dashboard. As you can imagine, this wasn’t a very scalable solution.

“Existing issues with their current architecture and infrastructure was a big reason why they moved,” says Hong He. The MDR needed to have a multi-tenant environment to be compliant with certain regional data protection laws. For example, in Europe, they needed to be GDPR compliant, “so we set up our infrastructure in a way that had a dedicated European hosting server,” Hong adds. “We actually segregate data based on each client, so that it’s easier to manage.”

Smart SOAR can be configured to run on public cloud services, with virtual machines running the database (SQL Server, Mongo DB), web server, and Docker containers managed through Kubernetes. For the cloud-native, these two open-source tools need no introduction. For the tech-adjacent, Docker is a tool for packaging and running containerized applications, while Kubernetes is a tool for managing and orchestrating those containers (a lightweight virtual machine), making it easier to deploy, scale, and manage applications across a cluster of containers.

Hong He, Senior Cyber Security System Engineer, D3 Security explains why the MDR moved on from their previous SOAR tool.

Performance and Scalability are Mission-Critical for MDRs. Dumb SOAR Doesn’t Measure Up.

With all the customer data flowing into a single instance, the MDR’s “Dumb” SOAR tool had serious performance issues. It was so slow that it was hampering their SLA (service level agreements) commitments to clients.

“The client mentioned to us that a single query would take 30 minutes,” says Hong, which was a major source of frustration for the MDR’s SOC team. “We were able to bring it down to a few seconds. Even the most complex queries would take about two or three minutes at most.”

“There were a million things that didn’t work properly. The system would crash often. They had too much data, so it would be very hard for them to query it,” says Brian.“It would be hard for them to pull any information for reporting purposes because it would crash when they tried to query it.”

A quote from Brian Tse, Senior Product Manager at D3 Security on D3 Smart SOAR achieves hyperscalability

Smart SOAR’s Kubernetes-driven architecture enabled the MDR to be more flexible and scalable. “Kubernetes really helped scale the number of services that we could provide. We can scale up and down the number of resources that D3 requires to run, like certain integrations or commands in the background,” Brian says.

Client Onboarding at Scale Is a Pain. MDRs Love That We Can Automate It.

Prior to the implementation, the MDR was manually onboarding new customers into their SOAR tool. This was a burdensome task that their analysts were delighted to automate. It wasn’t feasible for them to spend upwards of 10 minutes setting up each one of their thousands of customers.

“We inspected their current workflow and decided how we can actually retrieve that onboarding data from Zendesk (their ticketing system),” says Brian.

An onboarding ticket might say something like: “Customer A is joining MDR on March 15th”, and the MDR would need to start the service on this date. “So we would extract all this information out and then using D3’s event playbook and our multi-tenant system, we were able to feed it through D3’s Event Pipeline event playbook. From there we would be able to automatically create all the customer details or environments, their data ingestion schedule, and so on,” says Brian. For the MDR Provider, the only manual step is to schedule data ingestion from the customer’s tools. The whole process takes about 10 clicks of the mouse and can be accomplished in a few minutes.

MDRs and MSSPs: Move On From Your Dumb SOAR Tools

Smart SOAR proved its superiority against other SOAR tools in the POC when it comes to fulfilling various requirements, including ease of use, integration troubleshooting, playbook troubleshooting, incident grouping, role-based access control (RBAC) configuration, and more. Moreover, it fixed the MDR’s issues that stemmed from their previous SOAR tool, such as performance issues, data ingestion failures, lack of multitenancy, and minimal support. Smart SOAR was able to segregate data based on each client, enabling the MDR to be more compliant with regional data protection laws. Furthermore, Smart SOAR’s Kubernetes-driven architecture enabled the MDR to be more flexible and hyperscalable.

With D3, the possibilities for MDRs and MSSPs of all sizes are endless. Don’t settle for a “Dumb” SOAR tool when you can have the scalability and flexibility of Smart SOAR. Sign up for a demo to see the difference it can make in your security operations.

Powering the World’s Best SecOps Teams

Get Started with D3 Security