The cloud-native platform for centralized log management
Analytics, visualizations, and workflows purpose built for practitioners
Leading firms gaining more value from their machine data
Any source, any velocity – centralize logs, metrics, and traces for full visibility.
Close the gap between detection and response with an analyst-focused, cloud-native approach.
Understand complex environments with visual analysis and KPIs that matter most.
The most recent articles & research from Devo
Security Operations Centers (SOCs) are known as the “nerve center” of enterprise cybersecurity programs; others view them as “war rooms” or “situation rooms.” Regardless of the moniker, one thing is clear: their function is viewed as a critical competency. SOCs are meant to help businesses improve their security posture by monitoring, detecting, analyzing and responding to potential cyber threats, but for a number of reasons, today’s SOCs are largely ineffective and even painful to work in. What contributes to this ineffectiveness? A lack of full visibility into data and infrastructure, a lack of interoperability with threat intel tools, and a lack of automation of workflow.
Security operations teams often deploy a multitude of security tools to keep pace with a constantly changing threat and data landscape. But with so many disconnected tools, security teams can waste time chasing data from disparate sources, and wind up performing repetitive tasks. Indeed, this point is strengthened by the fact that just 37 percent of SOCs have high interoperability with threat intel tools, and 65 percent of analysts have reported burnout to the point of considering a career change, which will impact organizations’ security postures and widen the skills gap.
SOCs need to equip their analysts with rich, correlated data that matters to the investigation, automated enrichment and repeatable workflows so their analysts have the time and energy they need for incident resolution.
To combat the challenges SOCs face and to empower the analysts who work in them, Devo and Demisto have created an integration that allows users to leverage Demisto’s security orchestration and automation capabilities with Devo’s real-time, context-rich data insights for efficient incident response processes. With this integration, analysts can:
Consider the following use cases, designed with analysts in mind:
Challenge: If SOCs use different solutions for security analytics and incident response, it can be difficult to track the lifecycle of an incident due to fragmented information and lack of central documentation. Instead, analysts are stuck completing low-level tasks and manually building the workflow rather than quickly resolving an incident.
Solution: SOCs can use Devo for high-volume, high-velocity data correlation, enrichment and visualization, and Demisto Enterprise for security task orchestration and automation to trigger playbooks at incident creation. These playbooks will orchestrate response actions across the entire stack of products for a single seamless workflow. For example, analysts can create tickets, quarantine endpoints, retrieve PCAPs and send emails as automated playbook tasks.
Benefit: Devo’s context-rich, real-time security data analytics coupled with Demisto playbooks speed incident triage and resolution. The seamless workflow enables analysts to gain a comprehensive view of the incident’s lifecycle, access all documentation in a single platform and speed investigative and response actions through automated insight.
Challenge: While automated playbooks can reduce analyst workloads, a forensic investigation usually requires additional tasks, such as pivoting across multiple data views to gather critical evidence, drawing relationships between different incidents and defining remediation steps. According to recent research by the Ponemon Institute, visibility is a key indicator for SOC success; analysts need full access to all of their security data, with context, to enable them to make accurate and rapid decisions.
Solution: After running playbooks, analysts can then gain greater visibility and new, actionable insights into the attack by running Devo commands in the Demisto War Room to draw on all security data, context and threat intelligence. The War Room will document all analyst actions and suggest the most effective analysts and command-sets with time.
Benefit: The War Room allows analysts to quickly pivot on all security data in Devo and run unique commands relevant to incidents in their network, from a single window. All participating analysts will have full task-level visibility into the process and be able to run and document commands from the same window. Auto-documentation of all automation and analyst actions allow for reports to be generated quickly for executive review or post-investigation debriefs.
Knowing that a majority of analysts are under tremendous pressure and feel their SOCs are ineffective, which is culminating in burnout, the need to reduce workloads while improving efficiency is greater than ever. To learn more about how our integration with Demisto addresses these points, download the solution brief.
By Natalia Godyla
Sign up to stay informed with the latest updates from Devo.