New forms of sophisticated cybersecurity threats are continually emerging to target enterprises by utilizing multiple attack vectors and entry points. In this environment, security teams often waste time collecting data from disparate sources; manually correlating this data and performing repeatable tasks. The modern SOC needs security tools that empower analysts with rich, correlated data, and automate repeatable tasks to give analysts the time to and energy they need for incident resolution.
Users can now leverage Demisto’s security orchestration and automation capabilities with JASK’s AI-driven, autonomous security operations capabilities for efficient and accelerated incident response.
Use JASK and Demisto integrated platforms to collaborate, investigate, and document.
USE CASE #1
Automated insight ingestion, enrichment, and response
SOCs use multiple solutions for data/log enrichment and incident response, making it tough to track the lifecycle of an incident due to transitioning between screens, fragmented information, and lack of single-window documentation. TIER 1 Analysts spend too much time completing manual mundane tasks rather than threat hunting and resolving incidents.
SOCs use JASK for aggregated alerts (“Insights”) and data enrichment and push events to Demisto Enterprise for security orchestration and automation respectively. The modern SOC can automate incident creation in Demisto for each insight type in JASK. It can also trigger playbooks to execute upon incident creation. These playbooks will orchestrate enrichment and response actions across the entire stack of products that a SOC uses in a single screen and seamless workflow.
For example, analysts can create tickets, quarantine endpoints, retrieve pcaps, and send emails as automatable playbook tasks.
JASK’s rich alerts and data coupled with Demisto playbooks can speed up incident triage and resolution. Analysts can get a comprehensive view of the incident’s lifecycle, access documentation from a single source, and forego the need to switch between screens while performing investigation actions.
USE CASE #2
Interactive, real-time investigation for complex threats
An attack investigation usually requires pivoting from one suspicious indicator to another to gather critical evidence, drawing relations between incidents, and finalizing resolution. Running these commands traps analysts in a screen-switching documentation-chasing vicious cycle during an investigationand after it ends.
Security analysts can then gain greater visibility and new actionable information about the attack by running JASK commands in the Demisto War Room. For example, if playbook results show signal details from JASK, analysts can get a list of records related to that signal and access entity whitelists by running the respective JASK command. They can go directly to JASK to drill-down on that specific signal. Analysts can also run commands from other security tools in real-time using the War Room, ensuring a single-console view for end-to-end investigation.
The Demisto War Room and JASK’s easy access to data allows analysts to quickly pivot and run uniquecommands relevant to incidents in their network from a common window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from the same window. They will also prevent the need for collating information from multiple sources for documentation.
JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on highest-priority threats, streamlining investigations and delivering faster response times.
Demisto is the only Security Orchestration, Automation and Response (SOAR) Platform that combines orchestration, incident management and interactive investigation into a seamless experience. Demisto’s orchestration engine automates security product tasks and weaves in human analyst tasks and workflows. Demisto Enterprise, powered by its machine learning technology, acquires knowledge from the real-life analyst interactions and past investigations to help SOC teams with analyst assignment suggestions, playbook enhancements, and best next steps for investigations. The platform (and you) get smarter with every analyst action. For more information, visit www.demisto.com or email [email protected].