orchestration and automation case study

Bank Reduces Incident Response Time by 97.8% with D3 SOAR


Minutes saved for every data loss investigation.

The Bank’s Security Operations Challenges

In 2017, this global bank with $1.4 trillion in assets under management and over 100,000 employees concluded that its security operations were plagued by workflow gaps and analytics silos, leaving it vulnerable to security incidents and cyberattacks.

The bank could not hire, train or maintain enough SOC operators to meet the demand. Nor could it synchronize its complex security environment to automate incident response workflows or establish a holistic view of the cases and tasks assigned to the bank’s security operations center (SOC), or digital forensics, data privacy and corporate risk teams.

The cybersecurity leadership—consisting of the Chief Security Officer (CSO), Chief Information Security Officer (CISO) and the Director of SOC—identified two overarching priorities. First, they needed to offset the SOC’s lack of resources and establish “connective tissue” among security tools through orchestration and automation. Second, they needed an incident response management framework that made case collaboration and tracking seamless, while delivering upon strict documentation and information access control requirements.

We needed more than just SOC automation...we needed to imagine our SOC's ideal incident response workflow, involve the necessary departments, and then find the best SOAR tool for the job.

Chief Security Officer (CSO), Global Bank

Step One: Winning the Bank’s SOAR PoC

In a comprehensive SOAR Proof-of-Concept (PoC), four leading vendors focused on automating and orchestrating the business email compromise (BEC), endpoint malware, lost device, and loss of protected data use-cases. D3 won the bank’s SOAR PoC because of the superior value it offered in these areas:

  • End-to-End Security Orchestration and Automation

    During its three-week SOAR PoC, the bank automated the highest number of SOC tasks and closed 30% more investigations using D3 than with the next-best solution. D3 automated aggregation/ingestion, enrichment, orchestration, incident response and kill chain tasks, scaling the impact of all tiers of SOC staff.

  • Advanced Threat Response with MITRE ATT&CK

    D3 was the only SOAR platform to operationalize the MITRE ATT&CK framework for the bank. The bank deployed D3's kill chain playbooks in the PoC, covering 207 attacker techniques. The bank also initiated kill chain surveillance for critical IOCs and reported weekly on the adversaries and techniques encountered by the SOC.

  • Silo-Free Incident Response and Case Collaboration

    The bank required silo-free workflows so that cases initiated by the SOC could easily be worked on by Digital Forensics, Data Privacy and Risk staff. Only D3, with powerful forensics tracking, privacy/compliance features and information access controls, could achieve the bank's full list of incident management requirements.

  • A Predictable SOAR Pricing Model

    Unlike other SOAR vendors in the PoC, D3's pricing model was based on the number of users. The bank became frustrated when some SOAR vendors based their price on the number of automated actions or volume of data ingested. With D3, the bank realized its budget was safe from unexpected costs during a cyberattack.

Step Two: SOAR Implementation and Operation

Immediately following the PoC, D3 provided a SOAR deployment roadmap and assigned an implementation specialist with CISSP designation. On schedule and within 28 days, the bank’s SOC had a library of 20 customized playbooks, covering 95% of the incident types they encounter. For new incidents, analysts could easily pivot an existing playbook as required.

The bank’s playbooks employed a high level of enrichment and correlation, with D3 orchestrating incident response across a dozen toolsets. D3 also extended the incident response workflow into multiple departments; SOC incidents with potential insider threats, privacy violations, money laundering or ATM fraud triggered notifications and tasks for various investigators, who also use D3 to manage their cases.

The bank’s exposure to advanced attacks was also minimized through ATTACKBOT, D3’s built-in MITRE ATT&CK framework. ATTACKBOT guides analysts through the investigation process, dramatically reducing the time needed to block an attack. It allows the bank to focus on the most commonly exploited techniques and tactics, greatly reducing risk to the organization.

Finally, the security leadership recognizes it has solved the challenges it set out to address. They have established orchestration and automation within their SOC, eliminating manual coordination and enabling significant response time reductions. They have also improved the speed and quality of investigation/case management at the bank, by implementing a common system for incident response and case collaboration that serves multiple departments.


  • Ingest/parse event via phish inbox
  • Upload/fetch report from sandbox
  • Correlate against threat intel
  • Convict true incident
  • Ban the hash, enable network scan
  • Quarantine affected endpoints
  • Notify stakeholders


According to the bank’s Director of SOC, D3 SOAR has “scaled” the impact of individual SOC analysts. “We’ve automated every lookup, correlation, task-assignment, and follow-up, allowing analysts to focus on tasks, such as threat hunting, that give our organization a better bang for its buck.”


According to the bank’s CSO, D3 SOAR helped the bank adopt an “automation-first mentality”. Extending automation and orchestration from the SOC to data privacy, forensics and corporate security groups, “simply would not be possible without D3’s powerful playbook engine and its data-visualization aids.”

Key Business Outcomes


minutes saved

time to remediate phishing attack

Before D3 28 mins
After D3 2 mins

minutes saved

time to remediate endpoint malware

Before D3 16 mins
After D3 1 mins

minutes saved

time to complete data loss investigation

Before D3 1440 mins
After D3 30 mins

D3 is our primary global incident response, case management, and investigative platform. We use D3 SOAR across information security, corporate security, forensics, privacy and fraud.

Chief Security Officer (CSO), Global Bank