Automation, as enacted by security orchestration, automation, and response (SOAR) tools and others, has historically not been vendor-specific. By this, we mean that automated workflows do not generally consider the precise differences in the capabilities of integrated tools.
An EDR is an EDR. A SIEM is a SIEM. However, as you surely understand, not every tool within a category has the same features. Each one reacts to alerts/alarms/events differently and can take different actions during mitigation and investigation.
This limitation is why security automation has largely been limited to tier-one and tier-two tasks. Automation can be relied on for the basics, but more knowledge and specificity are required to replicate the expert judgement of a tier-three analyst. For MSSPs, whose customers rely on them to assess potential incidents, the stakes are too high to apply generic automation. If an MSSP has clients with different security stacks, it can’t be sure that the same automated workflow, or even the same manual processes, will work equally as well for each client.
For example, if a client’s endpoints are secured by Microsoft Defender, that tool can automatically check their Outlook mailboxes for malicious files found in an incident. But if they use CrowdStrike, they don’t have that capability without a third-party integration. So, different integrations and actions will be necessary for clients with these tools.
Coverage and Defensive Measures
If your MSSP follows the guidelines of MITRE ATT&CK and D3FEND, there are specific data sources and mitigations you need to leverage against adversary techniques. To truly understand your coverage of these techniques, and your clients’ security posture, you need a precise understanding of what you can capture from each tool. To know which of MITRE D3FEND’s countermeasures you can enact also requires deep knowledge of tools. This knowledge is hard to maintain, especially if your client base uses dozens of different tools.
For these reasons, we’ve done deep research into security tools and built out matrices of what each tool is capable of, and when it needs to be integrated with another tool to perform a task. This analysis maps nicely onto MITRE ATT&CK and D3FEND.
As an example, let’s look at a few of the actions that should be taken during a Credential Dumping incident (ATT&CK technique T1003). We’ve taken a subset of the tools we studied, anonymized them—since this is solely to illustrate the amount of variation—and recorded their capabilities for each of these important actions.
Vendor Capabilities for Actions Related to T1003:
Action Item | EDR Tool 1 | EDR Tool 2 | XDR Tool 1 | XDR Tool 2 | Firewall 1 | Firewall 2 | SIEM 1 |
Initial Investigation: Verify the attack and its location. | Shows the host and process where the attack happened, along with relevant details. Can also send the malicious file to a sandbox. | Shows the host and process where the attack happened, along with relevant details. Can also send the malicious file to a sandbox. | Shows the host and process where the attack happened, along with relevant details. | Shows the host and process where the attack happened, along with relevant details. | X | X | Gathers detection information and details from EDR. Cannot send files to third-party TIP for confirmation. |
Asset Identification: Is the involved host or user a critical asset? | X | Can tag machines with predefined values set by administrators during configuration. | X | X | X | X | Can assign different risk scores and values for high-risk assets and identities. |
Kill/Suspend Malicious Process | Can kill the malicious process almost instantly when detected. | Can kill the malicious process almost instantly when detected. | X | X | X | X | X |
Threat Hunting for Root Cause: Identify the creator process of the suspicious file. | Allows users to perform an event search to locate the creation of the executing files. | Allows users to perform Advanced Hunting to locate the creation of the executing files. | Allows users to perform an event search to locate the creation of the executing files. | X | X | X | X |
As you can see in this table, the tools within a category generally have similar capabilities, but not always. For example, only one of the two EDR tools can support asset identification. The XDR tools we studied have a lot of overlap with the EDR tools, as you might expect, but on some of the action items, the XDR tools lacked certain capabilities that the EDR tools had. This is just a tiny slice of the research we have conducted into common tools, use-cases, and procedures. The differences between tools go much deeper than we have time for in this article, underscoring the importance of customizing your processes for each stack.
If you leverage automation in your business, deep understanding of tools can enable:
- Automation of higher-tier activities
- More scalability of workflows processes across clients
- More flexibility for what clients you can effectively serve
- Better understanding of coverage and defensive capabilities
About D3 Smart SOAR for MSSPs
D3 Security supports MSSPs around the world and enables high-value services with our Smart SOAR platform. D3 Security supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, we’re vendor-agnostic and independent, so no matter what tools your clients use, our unlimited integrations will meet their needs. D3’s Event Pipeline can automate the alert-handling capacity of dozens of analysts, while reducing alert volume by 90% or more. Watch our case study video with Trifork Security to see how a successful MSSP uses Smart SOAR.
Guest blog courtesy of D3 Security. Read more D3 Security guest blogs and news here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.