Assessing potential phishing incidents is one of the most essential SOAR use cases, with two important reasons for this being that (1) most major breaches still begin with social engineering, and (2) large organizations deal with a very high volume of genuine or suspected phishing attempts. The conventional steps for investigating phishing are overly manual, slowing down the process and wasting analyst’s time on false positives. This inefficiency largely stems from switching between different tools and having to manually copy and aggregate data between them.
Using D3’s integration with Lastline, when a phishing attempt is escalated to D3, an analyst can trigger an automated phishing playbook in D3 that parses out the elements of the email, including the potentially malicious attached file or linked URL. The file or URL is then submitted to Lastline’s Deep Content Inspection environment for analysis and detonation. If the email is confirmed as a genuine malicious incident, D3 can then orchestrate the appropriate actions across the security environment.
D3’s integration with Lastline reduces the required manual steps to just a few clicks, enabling you to efficiently assess every potential phishing incident. Lastline’s advanced malware analysis can interact directly with malware and detect evasion techniques, making it especially effective against sophisticated attacks. Integrating with Lastline Detonator enables safe detonation of files and URLs, with analysis that feeds directly back into the D3 workflow. Using D3 to orchestrate the analysis also allows you to automatically update network and firewall rules based on the result of the investigation.
When a security alert is generated by a SIEM, firewall, endpoint protection system, or any other security tool, it requires prompt investigation. However, large organizations regularly face thousands of alerts every day, making it impossible to investigate even half of them. Security teams need fast and accurate ways of separating genuine threats from false positives without requiring a lot of manual work.
D3 NextGen SOAR can take in alerts from any integrated system and determine what alerts require immediate attention. D3 structures the data from incoming alerts to separate out the IOCs. By integrating with Lastline Analyst, D3 operators can check those IOCs, such as implicated IP addresses and domains, and receive a risk score report. Lastline’s analysis can be automatically incorporated into the incident in D3 for at-a-glance evaluation by the user.
Incorporating Lastline’s advanced analysis into D3 workflows allows for faster triage of events, which ensures that security teams stay focused on the threats that matter instead of chasing after false positives. When a genuine threat is identified, having Lastline’s report at your fingertips allows you to activate the correct automation-powered playbook in D3 to take immediate action to remediate the risk.
Our Connected SOAR Security Alliance brings hundreds of vendors together, allowing customers to benefit from our deep industry relationships and fully vendor-agnostic, independent SOAR platform.