It’s Time for a Better Workflow: Devo and Demisto Edition

Security Operations Centers (SOCs) are known as the “nerve center” of enterprise cybersecurity programs; others view them as “war rooms” or “situation rooms.” Regardless of the moniker, one thing is clear: their function is viewed as a critical competency. SOCs are meant to help businesses improve their security posture by monitoring, detecting, analyzing and responding to potential cyber threats, but for a number of reasons, today’s SOCs are largely ineffective and even painful to work in. What contributes to this ineffectiveness? A lack of full visibility into data and infrastructure, a lack of interoperability with threat intel tools, and a lack of automation of workflow. 

Security operations teams often deploy a multitude of security tools to keep pace with a constantly changing threat and data landscape. But with so many disconnected tools, security teams can waste time chasing data from disparate sources, and wind up performing repetitive tasks. Indeed, this point is strengthened by the fact that just 37 percent of SOCs have high interoperability with threat intel tools, and 65 percent of analysts have reported burnout to the point of considering a career change, which will impact organizations’ security postures and widen the skills gap. 

SOCs need to equip their analysts with rich, correlated data that matters to the investigation, automated enrichment and repeatable workflows so their analysts have the time and energy they need for incident resolution. 

Devo Integration with Demisto

To combat the challenges SOCs face and to empower the analysts who work in them, Devo and Demisto have created an integration that allows users to leverage Demisto’s security orchestration and automation capabilities with Devo’s real-time, context-rich data insights for efficient incident response processes. With this integration, analysts can: 

  • Detect, enrich and analyze threats with Devo and react with playbook-driven response
  • Shorten investigation time and increase decision-making efficacy by automating key tasks in the analyst review cycle
  • Reduce unnecessary churn with a single platform for triage, investigation, collaboration and incident documentation

Consider the following use cases, designed with analysts in mind:

Automated incident enrichment & response

Challenge: If SOCs use different solutions for security analytics and incident response, it can be difficult to track the lifecycle of an incident due to fragmented information and lack of central documentation. Instead, analysts are stuck completing low-level tasks and manually building the workflow rather than quickly resolving an incident. 

Solution: SOCs can use Devo for high-volume, high-velocity data correlation, enrichment and visualization, and Demisto Enterprise for security task orchestration and automation to trigger playbooks at incident creation. These playbooks will orchestrate response actions across the entire stack of products for a single seamless workflow. For example, analysts can create tickets, quarantine endpoints, retrieve PCAPs and send emails as automated playbook tasks. 

Benefit: Devo’s context-rich, real-time security data analytics coupled with Demisto playbooks speed incident triage and resolution. The seamless workflow enables analysts to gain a comprehensive view of the incident’s lifecycle, access all documentation in a single platform and speed investigative and response actions through automated insight.

Interactive, real-time forensics of complex threats

Challenge: While automated playbooks can reduce analyst workloads, a forensic investigation usually requires additional tasks, such as pivoting across multiple data views to gather critical evidence, drawing relationships between different incidents and defining remediation steps. According to recent research by the Ponemon Institute, visibility is a key indicator for SOC success; analysts need full access to all of their security data, with context, to enable them to make accurate and rapid decisions.

Solution: After running playbooks, analysts can then gain greater visibility and new, actionable insights into the attack by running Devo commands in the Demisto War Room to draw on all security data, context and threat intelligence. The War Room will document all analyst actions and suggest the most effective analysts and command-sets with time.

Benefit: The War Room allows analysts to quickly pivot on all security data in Devo and run unique commands relevant to incidents in their network, from a single window. All participating analysts will have full task-level visibility into the process and be able to run and document commands from the same window. Auto-documentation of all automation and analyst actions allow for reports to be generated quickly for executive review or post-investigation debriefs. 

Empowering SOC Analysts

Knowing that a majority of analysts are under tremendous pressure and feel their SOCs are ineffective, which is culminating in burnout, the need to reduce workloads while improving efficiency is greater than ever. To learn more about how our integration with Demisto addresses these points, download the solution brief.