Cyber Security Featured Article

Out of Stealth Mode, Demisto Unveils Intelligent Bot-Powered Security ChatOps Platform

June 01, 2016

As members of the Cyber Security Trend Community are in many instances painfully aware, a host of activities performed in security operations centers (SOCs) remain manual and complex.  And, at a time when the number of potential security threats is exploding, including false positives, tying up scarce and valuable human resources with time-consuming and possibly non-productive tasks is something to be avoided.  I hate to say at all costs but certainly cost-avoidance with better visibility and performance now more than ever is an SOC priority.

 It is for this reason that the announcement from Cupertino startup Demisto, Inc., is noteworthy.  The company has emerged from stealth mode and introduced Demisto Enterprise, what it is characterizing as the industry’s first Bot-powered security ChatOps platform.  The objective is to do nothing less than automate and streamline security and incident management processes. As Demisto says, the high-level benefits are to enable security analysts to, “finally scale their time and effort during critical incident investigation stages while sharing knowledge and working collaboratively for faster resolution.” 

A combination of new technology applications for automating critical tasks

What makes the Demisto Enterprise solution of interest is that it combines two new technology applications not seen previously in security industry solutions:

  • An intelligent security bot (Dbot) for automating playbooks and response tasks, and for detecting duplicate incidents.
  • The industry’s first security ChatOps-based platform for ticketing, collaboration and reporting.

The deliverables of the combination are sure to attract SOC administrator interest as they include automated investigation and response workflows, and auto documentation of evidence; while providing alerts, easy collaboration and transparency for IT teams and management that can identify the real threats and reduce response times when bad things happen.

What the analyst job easier

As noted the impact on SOC analysts in terms of making their lives easier is the attraction here. Armed with a collaborative interface, analysts can as the name implies chat and more, including such tasks as taking notes, running queries against security products and triggering response actions from an incident’s “war-room” to increase productivity, sharing and learning.

In addition, the Demisto Enterprise’s playbook-driven incident management processes help security operations teams respond faster to incidents and be better prepared. The solution is also being promoted based on it providing complete journaling and evidentiary support for forensics information, chats and notes.

What is also of note is that the solution is not about replacing people but about freeing them up for more critical aspects of their responsibilities by providing a unique dashboard, along with taking advantage of the security capabilities already in place.   

Source: Demisto

As shown, DBot integrates and can communicate with dozens of products, enabling it to cover the entire security incident lifecycle from creation to close. Pardon the size of the graphic above but as can be seen Demisto Enterprise third party integrations include products across a wide array of categories, including security products, communication products and IT systems.

This is an approach endorsed by Steve Struthers, VP & CTO, Dyntek, who said: “We are excited to adopt ChatOps as the way to run our Virtual Security Operations center. Demisto Enterprise helps us reduce manual investigation tasks and documentation. It is very hard to find and hire security analysts, so we decided to create a virtual SOC and hire the best talent around the world. Demisto’s approach combines the power of collaboration with automation to deliver unparalleled efficiencies.”

According to Gartner, “Rather than to seek full automation of all SOC activities, enterprises should seek ‘automatability’ – the capability of being automated as higher levels of confidence are achieved. Even then, analytics-driven, human-augmented security decision support systems will be used to provide the SOC analyst with the context of the recommended action, along with the details behind the verdict and recommended action. An analyst can then initiate the automated response or action. In this way, a human is still involved in the process, but the process itself is highly automated to make effective use of scarce SOC resources.”

The point about optimizing the use of scarce SOC resources should not be under-estimated.  It is no secret that there is a shortage of skilled and certified SOC resources globally. Providing the right tools to make these people more productive and more effective is to say the least none trivial.  And, allowing them to use machine knowledge combined with their own to become increasingly smarter and more responsive is truly “mission critical.” 

 “As an industry we have overlooked the importance of security operations and incident response for too long,” said Rishi Bhargava, Demisto co-founder and VP Marketing. “Our new platform is designed to close the wide gap that slows down the process of responding to incidents and attacks, as well as vastly improve other daily security operations tasks that are performed manually and inefficiently. Combining automation, ChatOps, in-process playbooks, case management and social learning, Demisto Enterprise is the only product that truly revolutionizes the way security operations are done, while deriving significant additional value from the security products that are already deployed in customers’ environments.”

In speaking with Bhargava, he also made an interesting analogy that what the solution is designed to do for SOCs is similar to what SalesForce.com has done for sales and marketing. In other words, take the tedium and errors out of business processes freeing up valuable human resources to concentrate on what they do best.

Demisto Enterprise Security Operations Platform already has a community of 370 members and has just received Series A funding from Accel partners.  After extensive beta testing it is now available directly from Demisto with pricing calculated based on active platform users.

The number of incidents may be increasing exponentially but that does not mean they should serve as an obstacle for SOCs to perform optimally.  




Edited by Maurice Nagle

Article comments powered by Disqus
Free Subscription