Demisto Applies ChatOps to Security Incident Management
Who wouldn’t want a smart bot that responds “Yes, master” before carrying out your security-related tasks?
Gartner has predicted that by 2020, 60 percent of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk. Demisto aims to take on the talent shortage within security by increasing security analyst productivity through automation.
While working at McAfee, its founders, Rishi Bhargava, Slavik Markovich, Guy Rinat and Dan Sarel, found that one of the biggest problems among security teams was products that don’t communicate with each other and teams that don’t either.
“Security analysts are so freaking busy that they don’t have time to talk to each other,” Bhargava told eSecurity Planet.
The typical workflow for incident response is “quite broken,” Bhargava elaborated to The New Stack in an interview. The tools often involve manual investigation, and tools like Outlook and IM for collaboration, Excel for documentation, and Sharepoint and wikis for management.
As an alternative, Demisto offers an incident-response trifecta as a solution: a consistent incident management process, automation and collaboration.
In its case management module, users can open a case and assign it to somebody, track a service level agreement (SLA), attach documentation and collaborate.
Its automation allows people write playbooks with complex conditions across them. The system integrates with 80-plus security tools through REST APIs. “It says, ‘Go to tool A and collect security data; then go to tool B, send an email to a user.’ You can draw these playbooks in a drag-and-drop flow chart-like manner,” Bhargava said.
“Third, you can collaborate with peers and work with the bot. You can talk to the bot and say, ‘Block this IP. Kill this process. Delete this file.’ That is what we call the real-time interactive investigation.”
Playbooks for Pay
The company has a Slack community of more than 1,000 security analysts that write playbooks and share automation, he said.
“The idea is to help security analysts by creating more automation out of the community,” he said. And the company pays participants $300 for writing a playbook and $200 more if they code that playbook into the Demisto product.
It also has a free and open source chatbot project for Slack that people can download and questions like, “Is this a malicious URL? Is this a malicious IP address?” as a means to introduce people to chatOps.
Demisto integrates with security tools such as FireEye, Palo Alto Networks, Intel Security and Splunk in a bidirectional manner and can take action, can fetch data using the REST API, then enable triage investigations, evidence collection and auto-documentation, response and reporting across all of them, he said.
It also helps security analysts look at risk metrics — Are incidents growing? What kind of incidents are growing? Are there incidents running late? What kind are running late? — to reduce mean time to respond and the overall cost of running the security operation by increasing analyst productivity.
Founded in 2015, Demisto raised $6 million in a Series A last May. And in early January, it was one of 11 bot makers to gain backing from the Slack Fund.
Though most security customers don’t want to be named, Bhargava said, geospatial mapping technology vendor Esri is being honored with a 2017 CSO50 Award for streamlining its security operations center. The award honors companies that not only improve security but also increase business value. Esri credits Demisto playbooks with helping to reduce the number of false positives its security analysts were responding to. It reports reducing the number of alerts requiring active analyst review from 10,000 a week to roughly 500.
Feature image via Pixabay.