[Webinar] Summertime, Livin’ is Easy!Top 10 SOAR Use Cases, Part 2

Housekeeping

• Ask questions by using text box in right hand area of the GoToWebinar platform, as the audience will be on mute

• Everyone will receive recording and slides by Friday, May 24

• Speakers

○ Jane Goh, Product Marketing

○ Pramukh Ganeshamurthy, Technical Marketing

Phish are jumpin’ and the alerts are on high

*Paraphrased,with apologies to Gershwin

”“Our response times are too long. Every lost second leads to financial and reputational damage.” ”“Our security experts are

overwhelmed with the growing number of alerts.” ”“I spend too much time switching

between products to effectively respond to incidents.”

2 million analysts shortageLack of skilled analysts

>12K alerts per weekGrowing Alerts

IR Process: no metrics/run over email

No consistent processWeeks to resolve

each detected incident

Long MTTR & Risk

- CISO - SOC Manager - IR Analyst

SOC Livin’ isn’t easy…

• Playbooks standardize IR workflows• Ingest alerts from multiple products• Manage security product stack from

central location

Orchestration

Automation

Response

Demisto is a SOAR platform that helps you orchestrate workflows, automate repeatable tasks and manage incident response across your security product stack.

• Automated scripts & tasks• Extensible product integrations• Machine learning insights based

on analyst actions

• Case management with War Room, easy querying & auto-documentation

• Customizable dashboards & reports• Interactive investigation & collaboration

What is Demisto?

Detection Sources

Ingest

Demisto

EDR

Threat Intelligence

Cloud

TicketingVuln Mgmt

FirewallDevOps

SIEM

Email

UEBA

Enrich

Respond

How Demisto Works

Analytics and SIEM Threat Intelligence Malware Analysis Endpoint

Ticketing

Network Security

Authentication Email Gateway

Messaging Cloud

…and 100s more!

Some of our integrations…

Use Case: Impossible Traveler

Challenges

• Fraudulent behavior not easy to spot• Multiple systems to confirm malice• Repetitive tasks

9

Impossible Time Travel Playbook

Ingest• Ingest behavioral anomaly

from relevant tool.

Enrich User Information• Retrieve user and manager accounts.

Enrich IP Information• Check reputation of both previous and current

IP addresses.

Close PlaybookActive Directory

Threat Intelligence

Confirm Malice• Calculate distance between IPs.• Generate location map.• Generate event duration.

Yes

No

Containment• Change incident severity.• Disable user account.• Block malicious IP address.• Notify management team.

Active Directory

Firewall

Two IP addresses tied to same user are far apart

Demo

Use Case: Cryptojacking

Challenges

• Siloed teams, lack of security oversight• Manual monitoring impractical• Breaches = huge business impact

Cryptojacking Playbook

Demisto

Bitcoin Mining Alert

Trigger Playbook

AutoFocus

Email

Email EC2

EC2

Need to Isolate EC2

Instance?

AWS Security

Hub

Ticketing

Ticketing

Ticketing

Compile Alert Details• Get AWS Security Hub

alert details• Open ticket

Enrich Context• Check EC2 security

group• Get indicator details

Quarantine Instance• Take EC2 volume snapshot• Create Tag • Quarantine EC2 instance• Send email to relevant teams

Sanitize and Close• Update ticket• Send email to relevant teams

Yes

No

Demo

Use Case: Cloud Security

Challenges

• Complex incident response workflows• Multiple consoles across cloud env • Ability to respond at scale & speed

Cloud Security Incident Response Playbook

Demisto

Critical Alerts

Trigger Playbook

EmailPRISMA

Cloud Threat

Defense

RedLockTicketing

Ticketing

Get Cloud Security Alerts• Get policy ID• Open ticket

Perform Checks• Conditional checks on

policy ID• Get indicator details

Process Auto Remediation• Trigger corresponding playbooks for auto

response

EC2

Demo

Use Case: Incident Response Lifecycle Processes

Challenges

• Disjointed, siloed security tools• Lack of standardized processes • MTTR (Mean time to respond)

IR Lifecycle Processes Playbook

Demisto

Critical Alerts

Trigger Playbook

and Engage• Assign incident to Analyst

using DBot suggestion• Get critical threat alerts,

social app traffic and files

Extract, Check Indicators• Retrieve sample

analysis• Check file reputation

AutoFocus

Respond to malicious IP• Notify change manager for approval• Block IP at Palo Alto Networks firewall

• Auto-generate incident investigation report in Demisto

Respond to malicious file hash• Search and block malicious hashes• Notify analyst for review• Update tickets in Demisto

WildFire

IP

Manual

Hash

Email

Cortex Data Lake

Cortex

Panorama

Check for Malice

Malice Found

Demo

Use Case: Vulnerability Management

WestJet• Vulnerability platform that scans 100s of

assets, 1000s of desktops• Assets have different criticalities to

business and different compliance requirements

• Determine which teams owns which vulnerable asset is manual process

• Reporting is manual

Video

REDUCED ALERT VOLUME

FASTER RESPONSE TIMES

EFFICIENT SECURITY OPERATIONS

SOAR Benefits

*Real stats from Demisto customers

Reduced weekly alerts from 10,000

to 500

Reduced MTTR from 3 DAYS to 25

MINUTES

Fully automated 30 % of incidents to save

1 FTE

Enterprise Software* Financial Services* Energy/Utilities*

Black Hat 2019!

If you’re attending Black Hat…● Catch us at Booth #1138 where you’re guaranteed to

have a ball!

● Party in Vegas! Register & join us on August 6!https://go.demisto.com/bh-1923-party

● Learn More about what we’re up tohttps://go.demisto.com/black-hat-2019

Additional Resources● In case you missed the original | Use Case Webinar Part 1:

https://www.youtube.com/watch?v=cs0qTwaEZBM

● This is what SOAR’s all about | Dummies Book: https://go.demisto.com/your-guide-to-security-orchestration

● Gartner’s take on SOAR | Gartner SOAR Market Guidehttps://go.demisto.com/the-hitchhikers-guide-to-soar-2019

● Why not play with it for a bit? | Free Editionhttps://go.demisto.com/sign-up-for-demisto-free-edition

●

Questions?