• Demisto Blog
  • »
  • Standardizing Incident Response and Collaborating towards a safer future

Standardizing Incident Response and Collaborating towards a safer future

About 2 months ago we launched 1.0 of Demisto Enterprise after a two month beta period and lots of customer engagement. One of the constant feedback from all the large enterprise customers we talked to was we as an industry should collaborate to build playbooks and that we need a highly engaged community to respond better. After deep discussions with customers and industry leader about the openness and collaboration requirements we reached the understanding that these are the most important requirements -

    1. Sharing of playbooks across companies - Organizations need to be able to collaborate and build playbooks that can be shared among them. The main reason behind this requirement is the fact that collectively, through the wisdom of many people, we can all build better response procedures and automations and improve our defenses.  
    2. A flexible playbook model - The definition of a playbook is not very clear in the security industry today and clearly playbooks need to have automations and procedural steps side by side. These two types of tasks are usually part of a normal incident response cycle and a playbook should be able to model this. This is true not only for incident response. General security operations require flexible playbooks to allow process steps like escalations, approvals, patching alongside automations like block an IP, kill a process etc.
    3. Vendor-neutral format - When we started designing the playbook exchange format, we realized that most of the security vendors (our competitors) out there represent the playbooks in an internal and proprietary format. Some actually do talk about sharing of playbooks across their customer base or community but that is not sharing, that is locking down customers tighter with their own product. So we decided that similar to other standards in security industry like STIX, we need a standard that is vendor neutral for security operations.

Introducing COPS (Collaborative Open Playbook Standard)

COPS is an open standard based on above three key requirements. We have designed this in a very extensible and flexible manner where the automations and automation modules are decoupled from the playbooks. This gives huge flexibility when it comes to taking playbooks from one product and transferring them to another product. We would like to invite partners, customers and vendors to review the spec and suggest changes. We are sharing the format and some examples in this github repository and would like the community to join us in the effort. We encourage discussion about the standard on the COPS channel in the DFIR community we created in Slack


More Community Announcements

In addition to an open playbook standard, we are also making a few more exciting announcements -

  1. Demisto Free Edition - To get our community starting with building their own playbooks with easy, we are launching a free edition of our product. Customers can get started with the product without paying anything. They can build playbooks (based on their internal procedures) with Demisto Free Edition drag and drop UI and then export into the standard format. You ask how do you get it? Not so fast. All good things in life need some hard work. You have to earn this by answering some questions.
  2. Slack DFIR Community growth - We are excited to announce a big milestone of surpassing 500 members in the DFIR Slack community. The participating members are from 18 different timezones. The topics range from incident response procedure discussions, tools, training and many more fun topics.
  3. Open sourcing of 150+ automation scripts - all of our automation scripts in Demisto product are now open source.
  4. Open source Slackbot adoption - We thank the cylance team for contributing back to community and announce the inclusion of Cylance threat feed in open source slackbot. Also we are happy to share that the slackbot is now being used by more than 800 slack teams across the world.

Demisto is all about collaborating so that together we will be able to protect ourselves better against cyber crime. We believe that each of the announcements we are making today is a major step in this direction and together, the steps we took will help the industry leapfrog into a safer future. We invite the community to join us in this major effort.

Download Free Edition