Demisto_Logo
  • Platform
    • Overview
    • Security Orchestration
    • Incident Management
    • Interactive Investigation
    • Machine Learning
    • Architecture
    • Indicator Repository
  • Solutions
    • Accelerate Incident Response
    • Standardize Incident Response
    • Threat Hunting
    • Cloud Security
    • SOC Metrics
    • MSSP
  • Community
  • Resources
    • Content Library
    • Blog
  • Integrations
  • Company
    • About Us
    • News
    • Join Us
    • Media Kit
    • Contact
  • Free community edition
Free Community Edition
September 26, 2019

Incident Response

Security Orchestration

Threat Intelligence

Malware Analysis

Vulnerability Management

Partner Integrations

Demisto

Demisto and Mimecast: Automated Email Security and Incident Response

Mimecast Featured Image

Subscribe to Email Updates

envelope-icon.png
subscribe to email updates
  • All
  • Must-Read Articles
  • Product Features
  • Use-Cases
  • News and Events
  • Partner Integrations
  • Tweet

 

Everyone uses email, even your neighborhood cyber-criminal. Not surprisingly, it’s a favorite vehicle for delivering malware, impersonation fraud and phishing attacks.

This integration combines Mimecast’s comprehensive cloud-based email security capabilities with Demisto’s security orchestration to help your security teams standardize incident response processes, execute repeatable tasks at scale, and accelerate time to detect and protect against such email-borne attacks.

Integration Features

  • Ingest rich Mimecast information (URL lists, message content, attachments, logs, policies, sender info) into Demisto for analyst investigation or automated playbook-driven response
  • Manage policies and users from within Demisto as automated tasks or real-time actions
  • Run thousands of commands (including for Mimecast) and collaborate with other analysts and Demisto’s chatbot.
  • Leverage 100s of Demisto integrations to coordinate response across security functions.

    Screen Shot 2019-09-25 at 2.51.01 PM

USE CASE #1
Automated email threat alert enrichment and response


Challenge

When it comes to email threats, time is not your friend. These attacks usually target multiple users simultaneously across the organization and could result in multiple points of infiltration by the attacker. In addition, email attacks can generate a lot of alerts which have to be sifted through manually by your analysts to determine malicious intent. These tasks are repetitive and time-consuming. They cause alert fatigue and take analysts away from actual problem-solving.

Solution

Demisto integrates with Mimecast to orchestrate and automate a variety of critical but repeatable actions during incident response. For example, if a suspect URL from a Mimecast  alert is ingested into Demisto, the corresponding playbook is automatically executed. This playbook looks up the URL, decodes it and if necessary disarms and sanitizes the URL. 

For other Mimecast alerts, playbooks can also be set up to enrich and extract malicious indicators or download and detonate suspicious payloads using your endpoint security sandbox. 


Screen Shot 2019-09-25 at 2.51.41 PM

Benefit

Demisto acts as the bridge between Mimecast and other security products that your SOC can use to speed incident resolution. This ensures standardized response and updates and reduced effort and time through automation.

 

To learn more about our integration with Mimecast, view our joint solution brief:

Read Solution Brief

USE CASE #2
Interactive investigation for complex email threats 


Challenge

Apart from running automated actions, attack investigations usually require additional real-time tasks such as pivoting from one suspicious indicator to another to gather critical evidence, grab and archive evidence and finalize resolution. Running these commands traps your analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.

Solution

After running enrichment playbooks, your analysts can gain new actionable information about the attack by running Mimecast commands in the Demisto War Room. For example, if the analyst decides to block a sender, the analyst can run the Mimecast-manage-sender commands to block a sender in real-time without having to switch consoles. The War Room will document all analyst actions and analysts can mark artifacts as evidence for reporting.

Screen Shot 2019-09-25 at 2.52.12 PM

Benefit

The War Room allows analysts to quickly pivot and run unique commands relevant to incidents in their environment from a common window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from a unified console. They will also prevent the need for collating information from multiple sources for documentation. Archived documentation can also be leveraged for future learning.

  


We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below. 

Free community edition

Share:

What Should I Read Next:

December 3, 2019 10:50:16 PM

Demisto and Amazon Detective: Automated Cloud Threat Investigation and Response

SHARE

December 3, 2019 09:00:00 PM

Demisto and AWS: Identity and Access Management (IAM) Access Analyzer

SHARE

November 27, 2019 04:00:00 PM

SOAR Report 2019 Deep-Dive: Response and Enforcement

SHARE
Careers
foot-logo.png
get in touch

Copyright © 2019   |   DEMISTO - A PALO ALTO NETWORKS COMPANY   |   PRIVACY STATEMENT