5 Ways D3 Security’s SOAR Can Help You Prioritise Incidents

In almost any SOC, there are more incidents than can be properly investigated. Even with effective rules in your SIEM and other detection tools that rule out the majority of false positives and low-risk events, incident responders are still often overwhelmed with a never-ending queue. SOAR can bring order to the chaos of incoming incidents by aggregating alerts from different tools, automating enrichment, and providing at-a-glance analysis of each incident.

DataSolutions is D3 Security's leading IT Distributor in the UK and Ireland. We enable digital workplace, hybrid multi-cloud, networking and cyber security vendors to expand in the UK and Irish markets. The leading products in our portfolio are selected to deliver transformational IT infrastructure solutions for end-users and create an ecosystem for sustainable, accelerated growth for our partners.

As a leading IT Distributor who has been in this industry for over 30 years, it’s easy to see how D3 Security’s SOAR is especially effective at helping analysts and managers ensure that they are spending their time on the most dangerous threats.

D3 Security has given us five ways that D3 Security can help you identify and prioritise important incidents.

1. Cumulative Risk Scoring

Because D3 Security integrates with myriad threat intelligence sources, incidents can be easily prioritized based on their cumulative risk score. When an incident is ingested into the system, D3 Security checks the IOCs against any available integrated third-party intelligence platforms and each one generates a risk score. These risk scores are then aggregated by D3 Security to create a cumulative risk score. You can set a threshold within D3 to automatically prioritize incidents when they exceed a certain score.

2. Key Assets

Within D3 Security, you can assign key asset status to particular entities, so you always know right away when critical assets are at risk. Key assets might include user IDs, email inboxes, and endpoints related to important personnel, such as senior executives or technical researchers with access to proprietary information. They might also include important internal servers or any other entities that represent major risk for the organization. In D3, you can create rules so that incidents involving key assets are immediately flagged and escalated.

3. MITRE ATT&CK Stage

One of D3 Security’s most powerful features is its ability to correlate incidents against the MITRE ATT&CK Matrix. For those unfamiliar with ATT&CK, it lays out 12 adversarial tactics—each with many associated techniques—in a “kill chain”, meaning that they represent the approximate sequence an adversary might take to reach their goal. So you can see why an incident that represents a later link in the kill chain—for example Command and Control, which is one step before Exfiltration—is a more urgent concern than an earlier link in the chain. With D3 Security, you can easily prioritize incidents based on their ATT&CK tactic.

4. Type of Incident

Not all cybersecurity incidents are created equal. A ransomware attack, for instance, is an all-hands-on-deck emergency in a way that a run-of-the-mill phishing email might not be. You can configure D3 to automatically flag certain incident types as high priority to ensure they get an immediate response.

5. Number of Incidents

So far, we’ve covered the characteristics of individual incidents that can be used to determine priority, but there’s also another factor: the occurrence of an incident type within a timeframe. A single phishing email, as previously mentioned, is no big deal. However, if you have detected 30 simultaneous phishing emails to your users from the same sender, your organization has clearly been targeted. D3 can group related incidents into a single case for investigation and assign it higher priority than its individual components would merit.

Learn More

D3 SOAR can bring a consistent and repeatable framework to much more than just prioritizing incidents. Once you have determined which incidents require immediate action, D3 jumps into action with automated playbooks that marshal the resources of your entire security infrastructure to remediate threats. The recent shift towards employees working from home brings about many unique security challenges, and D3’s playbooks can help!

To learn more, check out our recent whitepaper 5 SOAR Playbooks for the Remote Work Era.

This blog was originally published on the D3 Security website, by Walker Banerd on the 28th July 2020. You can find the original blog post here.