Incident Management Automation and Beyond

Some PowerPoint slides are splashy, some are beautiful. But the real show-stoppers are the ones that make you straighten up and say, “Wait…how could this be?” That’s what happened when we hit slide 12.

Alex MacLachlan and Stan Engelbrecht, from fast-growing SOAR vendor D3 Security, had been taking me through their analyst briefing. D3, which was founded in 2002 and is based in Vancouver, offers a “next-generation” security orchestration, automation and response (SOAR) platform. Like many SOAR solutions, D3’s combines hundreds of IT and security tool integrations along with incident-specific response plans—called playbooks—that help companies standardize and automate responses to security incidents and data breaches. The next generation part, however, is where D3 likes to differentiate itself.

MacLachlan explained that D3 helps customers extend automated orchestration and cross-enterprise workflows beyond the Security Operations Center (SOC), so that Privacy, Fraud, Compliance, and Corporate Security teams could all use a single platform for investigations and case management. “With everything on one platform,” said MacLachlan, the company’s marketing director, “the quality and speed of investigations increases, manual processing is reduced, and audit capabilities are enhanced.” General counsel are bound to like that, I thought. And thanks to its cross-enterprise capabilities, he noted, many customers were even processing their COVID-19 cases in D3.

It all sounded good. But I couldn’t quite picture it. Then we hit slide 12.

How Did They Do That?

It was from an actual customer story, explained Engelbrecht, D3’s cybersecurity practice director. The customer was an international bank that had a problem with data breach investigations. The slides included before-and-after statistics, and they were as startling as any before-and-after photos. Picture a rotund man on one side and svelte James Bond look-alike on the other.

Time to complete a cross-enterprise investigation BEFORE D3 was implemented: 44 hours.

Time to complete a cross-enterprise investigation AFTER D3 was implemented: 26 minutes.

That’s a 99 percent time reduction, in case you’re counting. And there was another statistic right under it that was also pretty remarkable.

Time to search and retrieve target case files BEFORE D3: 48 hours.

Time to search and retrieve target case files AFTER D3: 2 minutes.

How do you get from two days to two minutes? They had my full attention.

Let’s start with a few caveats. They weren’t able to name the client, so they couldn’t provide some details even if they’d wanted to (protecting confidential information). And this was not about big, headline-worthy post-breach investigations; it was comparing the average response time for a group of case types that generally involved sensitive data being accessed or moved unexpectedly. For example, if an employee suddenly resigned, the organization “needed to understand what company data had been accessed, and whether any had been misused or had left the organization,” said MacLachlan.

The Problem

The problem with the bank’s old investigations was attributable to the systems it was using, Engelbrecht explained. When cybersecurity investigators were called to look into a matter, they came in and start digging. But if they realized that there were concerns about privacy, they also passed off the investigation to the privacy team.

The privacy investigators would start at square one. And they did their investigation. But if they realized that there had also been some unaddressed security risks, they notified the risk team. Each investigation group had its own area of expertise, Engelbrecht said. And each ended up doing its own investigation. It was these multiple silos that were bogging down what might have been a simple investigation.

Later, when the company wanted to retrieve the case, or was compelled to during an audit, it wasn’t just one case file that needed retrieving. In one real case, for example, 14 sub-departments were holding relevant information. Pulling it all together was difficult, time-consuming and there was no directly responsible individual. Worse, “they each were talking their own language,” Engelbrecht said. “The data was siloed, incomplete and duplicated. Systems didn’t speak to each other, and nobody had time for the high level of manual processing that was required.”

The Solution

That was the starting point when D3 won a proof-of-concept and was handed the contract. Over the months that followed, D3 helped the bank deploy a single platform that all departments share for incident response, investigations, case management and reporting. Most important, the bank leveraged D3’s robust information access controls to lock down information on a need-to-know basis.

The hardest part of the job had nothing to do with technology, Engelbrecht observed. “It’s not an easy change because it’s a cultural shift in how they do their jobs,” he said. And for that reason, it required C-Suite buy-in, which was a gradual process.

“Over time,” he continued, “more and more departments started using the system. We just keep rolling it out, and today there are eight departments, all using D3 as their incident response management and investigations platform. The client calls it their ‘single source of truth.’”

Engelbrecht gave me a demo to show me the flexibility of the software, and how thoroughly it can be customized. The Case Management Dashboard allows companies to configure processes to meet their needs. And to standardize the work. Individual users can select from pre-configured dashboards, based on their responsibilities, or create their own views. Playbooks and integrations appear to work seamlessly together, with a visual drag-and-drop interface abstracting much of the busy-work into the background.

It was clear how this helped the bank’s workflow. Investigation forms can be built with predesigned fields that create the common language that the departments had previously been missing. And drop-down menus help automate the work. The case history is immediately visible to everyone who works on it. It’s clear who entered what information. It’s impossible to edit out entries, and they’re automatically time-stamped. Even views of data are tracked.

Anyone who has information on an investigation goes to the same place. They see what they are allowed to see, based on their permissions, and the D3 software guides them through the process, ensuring that the right data is entered into the system. Things called “tips” even provide helpful on-screen tidbits regarding best practices—such as links to relevant frameworks or required steps for completing an interview as part of an investigation. Since all the data is consolidated in one place, it literally takes no more than minutes to locate. A lengthy and chaotic process was replaced by one that simplifies, clarifies, organizes and preserves the work.

MacLachlan noted that it’s a tool the general counsel of any company is bound to love. There are rich and varied incident management features, including compliance reporting templates and playbooks for privacy and data breach investigations. Case management data is protected, and it’s easy to limit access to those who need to know. Evidence management is fully native to the platform for both digital and physical evidence, and provides chain-of-custody documentation. And the whole audit trail can be sent to straight to legal.

Last but not least, because the software is so flexible and easy to deploy, “it can be used for a lot things,” MacLachlan said. The D3 Security case intake, workflow engine and dashboard are now being used to process COVID-19 cases, including task assignments, employee-status tracking and the generation of facility-based metrics and insights.

In other words, it offers automation and orchestration, incident management and reporting, for the full enterprise. That’s a lot more than any slide deck can capture.