I have been saying for a while that security automation, orchestration, and response (SOAR) tools are key enablers for tranforming SOC operations. And these tools have matured from glorified python script engines to sophisticated and integated tools over the last couple of years, providing some of the latest machine learning and AI capabilities. This has resulted in a very hot and contested market as SOAR tool vendors are starting to be swallowed up by larger cyber security companies as they grow at rapid paces. In particular, one SOAR tool vendor – D3 Security – grabbed my attention when it recently announced that it had experienced “record breaking growth” in 2018 and that more than 20 percent of the Fortune 500 now use its products. Twenty per cent seems like a significant stake to me in the market of Fortune 500 companies given how many SOAR vendors are out there. So I was interested in learn what capabilities D3 Security provides and I reached out to them. I was very delighted when D3 Security responded positively to my interest. So read the interview below with Stan Engelbrecht of D3 Security as he discusses how D3 Security’s SOAR platform is instilling confidence and enabling capability with SOC operators.  

Spotlight on Mr. Stan Engelbrecht

» Title: Mr. Stan Engelbrecht, Director of Cyber Security Practice, D3 Security

» Website: https://d3security.com/

» LinkedIn: https://www.linkedin.com/in/stanengelbrecht

Read his bio below.

Chris Daly, Active Cyber™: The security orchestration, automation and response (SOAR) market is crowded. What makes your technology stand out among this crowd and what key customer needs are you trying to address?

Mr. Stan Engelbrecht, Director of Cyber Security Practice, D3 SecurityD3’s Security Orchestration, Automation and Response (SOAR) platform is designed to cover the full lifecycle of an event, not just one or two phases of the investigation. We provide the ability for the SOC to capture all aspects of an incident, from detection and analysis through to post-incident review. Our solution doesn’t require the SOC to have strong python capabilities; we have abstracted away that requirement, so maintenance of scripts is greatly reduced.

Active Cyber™: One critical feature that many tools fail to adequately meet is “usability” across a broad set of user classes – beginner, intermediate, and expert. How is D3 Security designed to get the novice SOC analyst up and running while providing the flexibility in configuration options and scaling demanded by expert SOC analysts?

Mr. Stan Engelbrecht: One of the great things about the D3 solution is its flexibility and configurability. The maturity of the user class doesn’t matter, because playbooks can be configured to suit different levels of complexity. This means a beginner doesn’t get overwhelmed, because we can guide them through the steps that they require to do their job. Likewise, an expert is given the ability to script on the fly, if required, and can execute playbooks with a high level of sophistication.

Active Cyber™: Can you describe how your playbooks are constructed and provide some examples about how they can be organized to handle complex security automation tasks?

Mr. Stan Engelbrecht: D3 playbooks are configured graphically using a flow charting tool. This allows you to build out the workflow and see how you want the decisions within that workflow to run. For example, if an alert comes in through a SIEM about some suspicious network traffic, the playbook can be designed in such a way as to automatically grab a network capture from another tool, ingest it, parse out anything that is deemed relevant by the analyst, and send this off to a threat intelligence tool for further enrichment, such as assessing an external IP address. If this address comes back as malicious, the analyst can trigger further actions depending on their toolset, such as blocking the IP address on their firewalls or pulling the endpoint offline that was communicating with that malicious IP.

Active Cyber™: Incident response isn’t just about single threaded, linear processes to mitigate threats. Real-time collaboration across different silos of responsibility is also important so analysts and decision-makers are working from the most up to-date information and without duplicating tasks. How does D3 Security expand the incident response playbook in a collaborative manner and how does it enable more rapid and effective incident response processes?

Mr. Stan Engelbrecht: D3 handles the collaboration with teams in a couple different ways. First, with the ability to set up a war room within the localized, out-of-band chat functionality. This allows for an instant chat that can be used to pass information back and forth quickly and provide an audit trail for compliance if needed. The second way is our Case Management module. This module allows for multiple departments to be actively involved in an investigation at the same time. It has similar playbook capabilities as the incident response module but is designed for crisis management, where it may not just be the SOC involved, but also stakeholders from any number of departments from legal, to PR, to data privacy. At any point, notifications can be sent out to groups that may not be directly involved, but simply need an update as to what is happening. This is normally done via email but can be done via SMS or voice notification.

Active Cyber™: How are risk metrics incorporated into cyber orchestration decisions and prioritization of cyber orchestration activities by D3 Security’s platform?

Mr. Stan Engelbrecht: Risk metrics can be incorporated as a scoring system to rank the incoming alerts and provide the SOC a way to deal with alerts that have a greater potential for harm. When an alert is ingested into the D3 platform, IOCs are parsed out and sent for enrichment to various tools. These provide multiple risk scores and allow us to rank the incident based on the number of IOCs present in the alert as well as the risk score of those IOCs. D3 correlates these together to provide a ranking for the SOC to work on the highest priority ones first.

Active Cyber™: How is machine learning and AI changing the landscape of SOAR tools and approaches? How is D3 Security applying these technologies in its SOAR platform?

Mr. Stan Engelbrecht: Machine learning and AI have the capability to change how a SOC functions by alleviating all but the most complex incidents that still need to be handled by humans—the caveat being that machine learning and AI must be implemented correctly. This is much harder than it seems. The algorithms that machine learning and AI run on must have a large and good data set to reliably make good decisions, and this takes time and effort. D3 is working on an algorithmic method to greatly reduce the time analyst spend on false positive incidents. You can expect more on this later in 2019.

Active Cyber™: Playbook automation is generally achieved through automated integrations with external applications. Many vendors provide this, but it’s important to be able to customize the level of automation while providing wide support. How does D3 Security handle integration with third party tools and sensors, and what types of integration standards does D3 Security apply? How does it provide multi-environment orchestration to unite security management processes across the cloud, office networks, or virtual? How does cyber orchestration playbooks provided by D3 Security interact with SDN controllers, and NFV/VM orchestration tools?

Mr. Stan Engelbrecht: D3 integrates on several levels. We have a RESTful API and can integrate directly API to API. A second method is via our python library. This has several levels. We allow our clients to write their own scripts, choose from a list of predefined placeholder scripts that they can then modify or simply use an applet that requires no scripting, where only input and output placeholders are needed. Integrations are run in parallel, which means multiple actions can be happening at once across multiple security tools within a given playbook. Again, these actions can be enrichment-related or action-related and can be defined by our clients according to the tool set in their environment.

Active Cyber™: Link analysis and entity profiling are often applied by SOAR tools to help establish, visualize, and understand the connections between entities, incident records, external data sources, and other data points that the tool records. How does D3 Security apply analytics to assist SOC analysts in understanding the timeline of a cyber attack, see its connections to previous incidents, and accelerate their response to the attack?

Mr. Stan Engelbrecht: D3 has a robust entity system which allows entities to be defined according to what the client may need. While we have a number of entities predefined, this doesn’t prevent the client from defining their own. IOCs such as IP addresses, file names and hashes, URLS, and usernames can all be used as entities and tracked within the D3 system. Through our link analysis tool, these are graphically displayed and instantly give the analyst a view of how many times they have been part of an incident, but also how they interrelate with other IOCs. For example, link analysis provides the ability to see all usernames associated with any IP addresses that may be associated with alerts that have been ingested into the system. The SOC can use this to see patterns and correlate events that may not seem to be linked, but are.

Active Cyber™: Understanding mission impacts prior to performing a response or mitigation action is critical to ensuring that an orchestrated response doesn’t end up creating a bigger problem. What best practices do you recommend with regards to this issue to enterprises that want to accelerate and amplify cyber responses using security automation tools?

Mr. Stan Engelbrecht: Crawl, walk, run—it’s no different with security automation. Start with the small things and always have an analyst review before hitting the button to do a remediation action. Track and log this over the course of a month or two and review the associated playbook. If an action is being repeated to the point that it needs to be performed for every incident, this would be an opportunity to apply full automation and free up the analyst’s time to work on other things. This sounds simple, but in practice it takes consistent effort upfront to ensure steps aren’t missed. As you pointed out, automation can cause much bigger issues if implemented incorrectly or on the wrong process.

Active Cyber™: What level of growth do you see over the next five years in adaptive security and Security Automation? How do you see the market evolving? What market segments are you seeing the largest uptick of adoption?

Mr. Stan Engelbrecht: SOAR is the hottest security market currently. The resource and skills shortage has been a major driving force. Judging by the current climate, we will see a merging of technologies, and by looking at recent acquisitions and partnerships you can see it is well on its way. Market segments which are leveraging it the most—banking and financial services, healthcare, manufacturing—and the MSSP sector are the heaviest adopters so far.

Active Cyber™: Where is your current focus on investment / product development for D3 Security?

Mr. Stan Engelbrecht: Currently, we are continuing to strengthen our support for third-party tools and vendors to streamline the integration process. As I alluded to earlier, we are also working on a machine learning component which will greatly ease the resource side of the shortage.

Active Cyber™: What are your views on the OpenC2 and STIX/TAXII standards being developed by OASIS? Do you believe that inter-company M2M sharing of threats and associated playbooks using STIX/TAXII is a viable approach? What about intra-enterprise sharing?

Mr. Stan Engelbrecht: Personally, I feel this is would be an amazing accomplishment. Machine-to-machine sharing and inter-company sharing would greatly increase the agility and response capability of the SOCs that leverage it. Viability may be an issue; the security industry as a whole has not been able to standardize very much due to the proprietary nature of the solutions involved. OpenC2 would be a huge benefit as it would standardize the action side of equation by not being vendor-specific in how commands are sent and read. Again, we’ll have to wait and see if this pans out, but it’s hopeful to see the number of large-scale vendors and other organizations working on this.

Thank you Stan for this overview of D3 Security’s SOAR capabilities. It sure sounds like D3 Security is positioned well with the right features and capabilities to succeed in the highly contested SOAR market place. I look forward to hearing more about D3 Security’s continued success in the market and especially about pending announcements regarding new product features as well. 

And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing ICS / IIoT and IoT systems, or other security topics. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.

About Mr. Stan Engelbrecht
Stan’s expertise in incident response and security operations make him a trusted ally to many of the world’s most targeted organizations. Stan and his team focus on improving the speed and quality of threat investigation, incident response, and digital forensics of D3 customers. His presence on the front lines of enterprise cyber security ensures special knowledge of the latest threats and requirements, topics Stan often comments on in media and at cyber security conferences.