
What Makes D3 Playbooks Different
Incident response playbooks are needed to help enterprises respond effectively, consistently, and in line with security and compliance obligations. For many years, these playbooks were sets of manual, print-based documents. This often led to inconsistencies and the accumulation of tribal knowledge in a few select analysts’ minds. The result being that when they left the organization, all that knowledge went out the door with them.
Today, however, playbooks mean an different thing entirely. Automated incident response platforms like D3 have taken the playbook concept to another level. D3 provides users with a digital library of hundreds of playbooks based on the NIST and SANS frameworks, with the added ability to build playbooks themselves or alongside consultants. D3 playbooks can be modified, cloned, or enhanced with automation.
D3 playbooks have three characteristics that make them unique and highly effective:
- They’re Guided
D3 playbooks guide SOC analysts through remediation steps, so that an inexperienced employee can act with the precision and confidence of a seasoned IR veteran. From basic investigative steps to data-loss decisions, and even digital forensics, D3 can clearly map out the correct steps, with added tooltips, forms, and checklists. This helps address the cybersecurity skills gap, by allowing less-skilled employees to perform tasks that could previously only be done by highly experienced analysts.
- They’re Adaptable
D3 playbooks are dynamic, adapting on-the-fly to changing conditions and new intelligence to make sure that you can keep pace with fast-moving threats and complex attacks. Adaptability also helps support continuous improvement. Through D3’s drag-and-drop visual canvas, analysts can easily build or modify playbooks as needed, based on lessons learned or other organization-specific knowledge. Unlike other SOAR platforms, D3 goes beyond simple Python scripts for adding automated steps to workflows. When a user drops an automation into a playbook, D3 automatically creates all the data-capture forms and auto-configures the database so that any actions performed by that script are fully documented for reporting and compliance purposes.
- They’re End-to-End
D3 playbooks are end-to-end, meaning they cover all steps required in the SOC, plus all the steps that need to be taken by IT Security, Forensics, Corporate Security, HR, and other groups. In that sense, D3 is an enterprise-wide solution. For example, if an incident seems to involve a malicious insider, the D3 playbook extends to the HR group, outlining the interview questions that must (and those that can’t) be asked, and generating an investigation notification that, in some jurisdictions, needs to be provided to the employee under investigation. In addition, D3 can generate and assign all the tasks and data-intake forms required for taking custody of the suspect’s computer and mobile phone.
David Monahan, Research Director at EMA, recently highlighted D3’s end-to-end capabilities, saying, “D3 goes beyond other SOAR platforms by automating investigations/case management and is unique in automatically documenting all actions taken throughout the incident response lifecycle ensuring that this historical log will stand up in a court of law and address compliance concerns.”
Playbooks may be the core of D3’s incident response offering, but they’re just one aspect of what D3 can do. D3 builds on traditional incident response with orchestration, automation, case management, and more. This puts D3 at the center of the SOC, leveraging 200+ integrations to connect your incident response function to SIEM, threat intelligence platforms, ticketing systems, and other security tools for fast and cohesive security operations.
For a brief overview of how D3 saves security teams time and money, check out D3 President and Founder Gordon Benoit’s recent presentation at the SINET Showcase in Washington, DC.