The Bank’s Security Operations Challenges
In 2017, this global bank with $1.4 trillion in assets under management and over 100,000 employees concluded that its security operations were plagued by workflow gaps and analytics silos, leaving it vulnerable to security incidents and cyberattacks.
The bank could not hire, train or maintain enough SOC operators to meet the demand. Nor could it synchronize its complex security environment to automate incident response workflows or establish a holistic view of the cases and tasks assigned to the bank’s security operations center (SOC), or digital forensics, data privacy and corporate risk teams.
The cybersecurity leadership—consisting of the Chief Security Officer (CSO), Chief Information Security Officer (CISO) and the Director of SOC—identified two overarching priorities. First, they needed to offset the SOC’s lack of resources and establish “connective tissue” among security tools through orchestration and automation. Second, they needed an incident response management framework that made case collaboration and tracking seamless, while delivering upon strict documentation and information access control requirements.
We needed more than just SOC automation...we needed to imagine our SOC's ideal incident response workflow, involve the necessary departments, and then find the best SOAR tool for the job.
Step One: Winning the Bank’s SOAR PoC
In a comprehensive SOAR Proof-of-Concept (PoC), four leading vendors focused on automating and orchestrating the business email compromise (BEC), endpoint malware, lost device, and loss of protected data use-cases. D3 won the bank’s SOAR PoC because of the superior value it offered in these areas:
End-to-End Security Orchestration and Automation
During its three-week SOAR PoC, the bank automated the highest number of SOC tasks and closed 30% more investigations using D3 than with the next-best solution. D3 automated aggregation/ingestion, enrichment, orchestration, incident response and kill chain tasks, scaling the impact of all tiers of SOC staff.
Advanced Threat Response with MITRE ATT&CK
D3 was the only SOAR platform to operationalize the MITRE ATT&CK framework for the bank. The bank deployed D3's kill chain playbooks in the PoC, covering 207 attacker techniques. The bank also initiated kill chain surveillance for critical IOCs and reported weekly on the adversaries and techniques encountered by the SOC.
Silo-Free Incident Response and Case Collaboration
The bank required silo-free workflows so that cases initiated by the SOC could easily be worked on by Digital Forensics, Data Privacy and Risk staff. Only D3, with powerful forensics tracking, privacy/compliance features and information access controls, could achieve the bank's full list of incident management requirements.
A Predictable SOAR Pricing Model
Unlike other SOAR vendors in the PoC, D3's pricing model was based on the number of users. The bank became frustrated when some SOAR vendors based their price on the number of automated actions or volume of data ingested. With D3, the bank realized its budget was safe from unexpected costs during a cyberattack.
Step Two: SOAR Implementation and Operation
Immediately following the PoC, D3 provided a SOAR deployment roadmap and assigned an implementation specialist with CISSP designation. On schedule and within 28 days, the bank’s SOC had a library of 20 customized playbooks, covering 95% of the incident types they encounter. For new incidents, analysts could easily pivot an existing playbook as required.
The bank’s playbooks employed a high level of enrichment and correlation, with D3 orchestrating incident response across a dozen toolsets. D3 also extended the incident response workflow into multiple departments; SOC incidents with potential insider threats, privacy violations, money laundering or ATM fraud triggered notifications and tasks for various investigators, who also use D3 to manage their cases.
The bank’s exposure to advanced attacks was also minimized through ATTACKBOT, D3’s built-in MITRE ATT&CK framework. ATTACKBOT guides analysts through the investigation process, dramatically reducing the time needed to block an attack. It allows the bank to focus on the most commonly exploited techniques and tactics, greatly reducing risk to the organization.
Finally, the security leadership recognizes it has solved the challenges it set out to address. They have established orchestration and automation within their SOC, eliminating manual coordination and enabling significant response time reductions. They have also improved the speed and quality of investigation/case management at the bank, by implementing a common system for incident response and case collaboration that serves multiple departments.
D3 SOAR integrates with CrowdStrike Falcon, giving the bank a powerful joint solution for detecting sophisticated attacks and initiating kill chain surveillance based upon the MITRE ATT&CK framework.
The bank's information and communications environment include Symantec Endpoint Protection, Symantec Data Loss and Symantec Email Security—all of which feature a certified bi-directional integration with D3 SOAR.
D3 SOAR features a certified integration with Cisco's ThreatGrid sandbox. The integration enables seamless upload and fetching for the bank. D3 can automatically convict incidents and trigger response, or present findings to an analyst.
D3 SOAR features certified integrations with IBM QRadar and IBM X-Force. The bank can easily escalate SIEM events into D3 automatically or through manual push. D3 contextualizes events using X-Force, eliminating inefficient copy-and-pasting.
EnCase provides a digital forensics toolset for computer, network and mobile investigations. D3's integration helps manage cases and track forensic processing, SLAs, chains-of-custody and other critical items.
D3's integration with Nessus helps the bank automate patching, task assignment, threat hunting, and investigation/case management for both incident response and proactive use-cases.
D3 is a Microsoft Gold partner and has a strong relationship with Microsoft. The bank uses Office 365 and other Microsoft products extensively, and enjoys dramatic time-saving through integration with D3 SOAR.
2-MINUTE PHISHING PLAYBOOK:
- Ingest/parse event via phish inbox
- Upload/fetch report from sandbox
- Correlate against threat intel
- Convict true incident
- Ban the hash, enable network scan
- Quarantine affected endpoints
- Notify stakeholders
“D3 HELPS ANALYSTS MAKE A GREATER INDIVIDUAL IMPACT”
According to the bank’s Director of SOC, D3 SOAR has “scaled” the impact of individual SOC analysts. “We’ve automated every lookup, correlation, task-assignment, and follow-up, allowing analysts to focus on tasks, such as threat hunting, that give our organization a better bang for its buck.”
“THE INCIDENT RESPONSE IMPROVEMENTS HAVE REDUCED THE RISK WE FACE”
According to the bank’s CSO, D3 SOAR helped the bank adopt an “automation-first mentality”. Extending automation and orchestration from the SOC to data privacy, forensics and corporate security groups, “simply would not be possible without D3’s powerful playbook engine and its data-visualization aids.”
Key Business Outcomes
time to remediate phishing attack
time to remediate endpoint malware
time to complete data loss investigation
D3 is our primary global incident response, case management, and investigative platform. We use D3 SOAR across information security, corporate security, forensics, privacy and fraud.