This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
When it comes to network and endpoint security incidents, there's no shortage of products that can detect suspicious activities and send up alerts. However, what there is a shortage of is skilled incident response experts and time to investigate all the alerts. Security operations (SecOps) professionals need better tools and more efficient processes to become more effective.
Demisto Inc. is a new company that launched in May to address these challenges. Demisto says it can help Security Operations Centers (SOCs) scale the capabilities of their human resources, improve incident response times, and capture evidence while working to solve problems collaboratively. The Demisto Enterprise platform is an innovative approach that includes enabling collaboration among analysts and intelligent automation using bots and playbooks.
Demisto is not in the incident detection business; there are enough products on the market to do detection. Instead, the Demisto platform takes in alert data from various sources, including:
- Network and analytics – Splunk, ArcSight, CheckPoint, etc.
- Threat feeds – pipl, Rapid7, DomainTools, etc.
- Advanced endpoint products – Bit9, Carbon Black, CrowdStrike, etc.
- Malware analysis and forensics – FireEye, Cuckoo, PaloAlto, etc.
The alerts come into Demisto and are triaged to set the priority for investigations and to get the data needed for the investigations. Demisto uses playbooks and bots to determine what information is needed and to fetch it, and in some cases, to automatically respond in order to minimize what a human analyst needs to do.
Say an alert from an endpoint product indicates a user has a suspected phishing message. Demisto can run automatic logic for triage. The phishing playbook says to look at the URLs involved, look at the IP addresses, look at the files attached to the message, and if any of these has a bad reputation, then it means this is a phishing incident. The bot can tell the user this is a phish and delete the email message to prevent the user from clicking the URL or opening the attachment. This is what a security analyst would do, but it can be encoded into a playbook and run automatically to conserve time for the human.
Some security alerts clearly need the human touch, and sometimes a security analyst needs to consult with his peers to get a little help. Demisto facilitates the interaction with a unique integrated feature called ChatOps. It is a type of war room whereby different members of the SOC can work together to investigate and resolve an incident.
For example, say a junior level security analyst in Chicago needs to consult with a more senior level analyst in New York as well as a network expert in Atlanta. They can all meet in the war room to work the issue interactively. The bot becomes an active member of the team by getting relevant data to support the investigation.
The people in the ChatOps room can do more than consult with each other. They can issue commands to the bot to take action on something, as well as assign tasks to people and set due dates for when those tasks need to be completed.
The incidents that security analysts are investigating might have some aspects that require evidentiary support. Demisto collects and documents the evidence with the appropriate chain of custody in the event that the evidence is needed in a court of law. Everything that is done to investigate and resolve an issue is completely documented and sharable to help others who are working similar incidents. Reports are automatically generated after each incident is addressed.
Demisto offers numerous playbooks out of the box which are customizable for your environment and scenarios. In addition, there are more than 100 predefined automation scripts that can become part of a playbook. The distinction is that a playbook contains all the steps to address a specific incident, such as a ransomware attack. A script is an automation task the playbook can execute, such as "go to Active Directory and reset the user's password" or "go to Active Directory and find the group of this user and if the user is an executive then escalate the severity of the incident." A playbook also can include manual steps that would be done by a human.
The Demisto bot is capable of detecting when multiple incidents are actually duplicates of each other. Say there is a malware attack on a company endpoint device in Europe. It is communicating with a command and control server at a particular IP address. A similar attack is underway in the U.S. and the same IP address is involved on the backend. The bot can determine these events are related so that they can be addressed together rather than assigning two different teams to investigate and respond separately.
Everything the Demisto platform does is intended to speed up the processes that are utilized by security analysts. In particular, the playbooks and the bot take care of a lot of mundane tasks that humans would otherwise spend time on, and the ChatOps brings together experts regardless of their location to share knowledge and experience. Also, the Demisto platform brings in data from multiple sources that would otherwise remain isolated in security silos.
From a SOC perspective, Demisto takes care of the process side of the house with incident management processes, full metrics, automation, documentation and being able to get people to collaborate. All of this is available through a single platform for a SOC.