I am currently serving as the acting cybersecurity director and innovations officer for a large government contract. In these roles I have really come to appreciate the value of automation when properly applied and integrated well. At the same time, I really value the contributions that my senior technical folks make, but I constantly admonish them about the need for mentoring the less experienced or newer personnel so that the work can be spread out more evenly. So when I ran across Demisto in my reviews of new technology, I was interested in learning more about their ability to combine security automation and “mentoring” together through the application of AI within an integrated framework. I ran into Rishi Bhargava, VP of Marketing at Demisto, at a recent conference and we quickly struck up a conversation on these topics. He agreed to my offer of an interview to get the word out to my audience of subscribers. So read the interview below to find out how Demisto applies AI and other features to improve the usability of automated playbooks and to increase the utility of orchestration in the operations of SOCs and CIRTs within your organization.
Spotlight on Rishi Bhargava
Read his bio below.
January 31, 2018
Chris Daly, ActiveCyber: The security automation and orchestration market is crowded. What makes your technology stand out among this crowd and what key customer needs are you trying to address?
VP Rishi Bhargava, Demisto: Demisto’s main differentiator in this industry is our offering of a complete platform with security orchestration and automation, case management, and interactive investigation. Our vision for an optimally running SOC involves all three features delivered with seamless integration with the rest of your security tool arsenal for proper incident lifecycle alignment, reduced screen switching, and time-consuming product learning.
Within security orchestration, Demisto’s ease of integration and data ingestion across sources makes it stand out against the competition. Product integrations can be added through a two-click process and an intuitive data classification and mapping wizard greatly streamlines the front-heavy work of aligning source data labels with Demisto labels.
Demisto’s interactive investigation toolset helps prime SOCs for the future as analysts learn from each other, get smarter with each incident, and reduce resolution times exponentially. Powered by a machine learning War Room, analysts can conduct joint investigations, run live security commands from 150+ product integrations, and document findings – all in one window.
Lastly, Demisto’s machine learning capabilities across the board helps both the platform and the SOC grow in intelligence with each incident. Insights on incident ownership, analyst-task matching, commonly run security commands and arguments, and related incidents help analysts polish their skill-sets, share knowledge among themselves, and retain that knowledge within the platform.
ActiveCyber: One critical feature that many tools fail to adequately meet is “usability” across a broad set of user classes – beginner, intermediate, and expert. How is Demisto designed to get the novice SOC analyst up and running while providing the flexibility in configuration options and scaling demanded by expert SOC analysts?
Bhargava: Demisto is a useful solution for each major SOC employee group: tier 1- tier 3 analysts, SOC Managers, and CISOs.
For tier 1 analysts, playbooks are important both as standardized operation procedures to learn from and follow, and as automation support to help finish repeatable, time-consuming tasks without enveloping the analysts in alert fatigue. The War Room is an important window of learning for these analysts, as they can study the actions more seasoned analysts took and learn from ML (Machine Learning) insights about common security actions performed and experienced analysts to contact for specific incidents.
For tier 3 analysts and SOC Managers, the Incidents screen provides a comprehensive overview of the incidents in Demisto’s system along with granular metrics for comparison and study. The War Room is a useful platform for conducting interactive investigations for sophisticated attacks and pulling in fellow analysts to leverage their skillsets. The playbooks help senior analysts and managers by taking care of redundant tasks, streamlining IR flows, and enabling a standardized response procedure across the SOC.
For CISOs, dashboards and reports give multiple cross-sections of output metrics to study the results of incident-specific investigations and business-level results across incidents. These reports can be customized, scheduled to generate at regular intervals, and be generated from multiple windows. The Incident and Indicator dashboards also have interactive search and query functions that allow CISOs to drill down on subsets of data that are of relevance.
ActiveCyber: Can you describe how your playbooks are constructed and provide some examples about how they can be organized to handle complex security automation tasks?
Bhargava: Demisto’s playbooks are graphical, task-based workflows that can contain both automated and manual actions. In simplistic terms, playbooks are visual flowcharts. 40 of these playbooks are available out-of-the-box, but users can easily create their own playbooks from scratch as well. Examples:
• For phishing attacks, Demisto has a detection and response playbook that triggers whenever a suspected phishing email is forwarded to the company mailbox. The playbook extracts indicators like URLs, IPs, and hashes from the mail, and checks their reputation using threat feeds Demisto integrates with. If malice is found, the user is informed again, tickets are opened, severity is increased, and all instances of the phishing mail are deleted. Attachments are investigated further before closing the playbook.
• For IOC (Indicator of Compromise) enrichment, Demisto has a playbook that orchestrates across a range of products to automate actions that would otherwise have taken analysts over an hour to perform. The playbook parses indicators from the incident, checks threat feeds for their reputation, detonates hashes in a sandbox, queries DNS information for URLs, and updates the endpoint database in case malicious indicators are found. If any malicious indicators are found, the playbook raises incident severity, sends the analyst a mail, and stops at a manual task for the analyst to review playbook results.
ActiveCyber: Incident response isn’t just about single threaded, linear processes to mitigate threats. Real-time collaboration across different silos of responsibility is also important so analysts and decision-makers are working from the most up to-date information and without duplicating tasks. How does Demisto expand the incident response playbook in a collaborative manner and how does it enable more rapid and effective incident response processes?
Bhargava: In Demisto, interactive and collaborative investigations begin where automatable playbooks end. The War Room is a single-window platform that enables collaboration, investigation, and documentation. Analysts can conduct joint investigations, run live security actions using product integrations and chatbot AI, and document the results and findings stemming from these actions. War Room filters enable analysts to look at subsets of data for optimal usability.
The CLI that allows analysts to run live commands eschews the need to switch between screens and reduces overall time spent on investigation. The same-window documentation ensures that all analysts on the team know the actions performed and that nothing gets lost in email back-and-forth exchanges or ticketing pileups. Finally, the chat-based interface ensures that analysts are not trapped in silos or beset by tunnel vision, and are instead learning from each other to resolve incidents quicker and broaden their skillsets.
ActiveCyber: Playbook automation is generally achieved through automated integrations with external applications. Many vendors provide this, but it’s important to be able to customize the level of automation while providing wide support. How does Demisto handle integration with third party tools and sensors, and what types of integration standards does Demisto apply? How does it provide multi-environment orchestration to unite security management processes across the cloud, office networks, or virtual?
Bhargava: Demisto has over 150 product integrations that span the security spectrum, including but not limited to categories such as SIEMs, threat intelligence tools, endpoint security solutions, malware analysis tools and sandboxes, network security solutions, and ticket management tools. Demisto’s ease of integration and data ingestion across sources provides a competitive advantage in the market. New instances of product integrations can be added through a two-click process, and an intuitive data classification and mapping wizard greatly streamlines the front-heavy work of aligning source data labels with Demisto labels.
While standard integrations are simple, Demisto also provides users the option of building their own integrations. For bespoke solutions, in-house software, and other custom integrations, users can avail the BYOI (Build Your Own Integration) feature to add their own integrations to the platform.
Demisto’s overall deployment is flexible and molds to match user needs. It can be installed on-premise, as a cloud-based solution, or as a multi-tenant offering. Within multi-tenancy, users have full data isolation, execution isolation, and network isolation for maximal security and privacy. This ensures that Demisto is equally effective as a centralized solution or a platform that spans across tenants with differing requirements.
ActiveCyber: Link analysis and entity profiling are often applied by SA&O tools to help establish, visualize, and understand the connections between entities, incident records, external data sources, and other data points that the tool records. How does Demisto apply analytics to assist SOC analysts in understanding the timeline of a cyberattack, see its connections to previous incidents, and accelerate their response to the attack?
Bhargava: Demisto has multiple features that help weave a contextual thread through all the data and enable analysts to get to the root of incident resolution quicker. At a platform level, the Incident and Indicator Repositories provide a visual and tabular overview of incidents and indicators in the system respectively. Analysts can use search and query features to pivot this database according to metrics of interest.
Analysts can leverage cross-correlation capabilities to study indicators that are common across incidents in Demisto, jump to those incidents if needed, and identify whether an attack is isolated or persistent. Demisto uses hypersearch throughout the platform to give analysts important information about indicator reputation at a glance. Analysts can view indicator malice, repeating patterns, and cross-correlations at a glance in both the work plan and war room windows.
The Related Incidents feature provides a radial time-based view of incidents that are similar to the incident currently being studied. This map can be customized according to relevant metrics, incidents can be compared using specific indicators, incidents can be linked for common reporting, and can also be marked as duplicates for easing alert fatigue and faster resolution.
ActiveCyber: Understanding mission impacts prior to performing a response or mitigation action is critical to ensuring that an orchestrated response doesn’t end up in creating a bigger problem. What best practices do you recommend with regards to this issue to enterprises that want to accelerate and amplify cyber responses using security automation tools?
Bhargava: The most important thing to keep in mind is that automation is to not replace the human analyst decision making but it is to augment the decision making with relevant information and also to accelerate response. We recommend having manual review of the collected information by an analyst and approve the response actions before they are automatically deployed. Demisto also learns over time all the actions performed by an analyst and can recommend the analyst these steps.
ActiveCyber: What level of growth do you see over the next five years in adaptive security and Security Automation? How do you see the market evolving? What market segments are you seeing the largest uptick of adoption?
Bhargava: According to one report, by year-end 2020, 15% of organizations with a security team larger than five people will leverage security orchestration and automation products. This is up from 1% today. With time, we think more organizations will want their security orchestration and incident management solutions weaved into one platform for more robust alignment of incident lifecycles with automation procedures, more accurate measurement and monitoring, and more centralized study. Such a unified solution will be useful to SOCs across their maturity cycles.
For smaller SOCs, even non-automated playbooks coupled with incident management will help standardize response procedures and train analysts to follow a best-practice response approach. As SOCs grow and alert numbers grow with them, automation can kick in and playbooks can now handle repeatable tasks to ease analyst load. For mature SOCs – across time zones and geographies – collaboration becomes critical as analysts can converse on one window with transparency, synergy, and task-level accountability.
We’re seeing rapid uptake in industries such as healthcare, financial services, and telecom services. Any industry that deals with PII and has vast security needs will find security orchestration and automation useful. We’re also seeing uptake among MSSPs that are using the solution across tenants for providing SOC-as-a-service.
ActiveCyber: Where is your current focus on investment / product development for Demisto?
Bhargava: We will continue to build up our product integration infrastructure, making Demisto easier every day to use with your existing products and lessening the learning curve for all. We also plan to further invest in our machine learning / AI technology. As we are 100% channel friendly, we will invest heavily in this area, both from a product and marketing perspective.
ActiveCyber: What are your views on the OpenC2 and STIX/TAXII standards being developed by OASIS?
Bhargava: These standards are a step in the right direction and much needed to help with the adoption of automation and orchestration by large number of customers. But it is only the beginning. It has taken a long time for STIX/TAXII to get to the mature stage it is at. OpenC2 standard will also take a long time to get there. In addition, OpenC2-like standards need involvement from vendor community to make it happen. We don’t see that same level of participation yet. We fully support these open standards and believe that they can help a lot with the orchestration becoming main stream.
Thank you Rishi for sharing your insights on security orchestration as well as a quick tour through Demisto’s abundance of features and capabilities. I really like the focus on ease of use and contextual AI and I look forward to watching Demisto’s increasing impact and leadership in the security automation and orchestration marketplace.
And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, securing the Internet of Things, or other security topics. Also, email firstname.lastname@example.org if you’re interested in interviewing or advertising with us at ActiveCyber.
About Rishi Bhargava
Rishi Bhargava is Co-founder and VP of Marketing for Demisto, a cyber security start-up with the mission to make security operations “faster, leaner and smarter.” Prior to founding Demisto, Rishi was VP and General Manager of the Software-Defined Datacenter Group at McAfee / Intel. A visionary and technology enthusiast, he was responsible for delivering Intel’s integrated security solutions for datacenters. Before Intel, Rishi was VP of Product Management for Datacenter and Server security products at McAfee. He launched multiple products to establish McAfee’s leadership in risk & compliance, virtualization, and cloud security. Rishi joined McAfee by way of acquisition in 2009 (Solidcore, Enterprise Security Startup). At Solidcore, he was responsible for Product Management and Strategy. As one of the early employees and member of the leadership team, he was instrumental in defining the company’s product strategy and growing the business.
Rishi has over a dozen patents in Computer Security and holds a B. S. in Computer Science from Indian Institute of Technology, New Delhi and a Masters in Computer Science from University of Southern California, Los Angeles. Rishi is passionate about innovative technologies and industry trends and serves as an active advisor to multiple startups in Silicon Valley and India.