Everyone uses email, even your neighborhood cyber-criminal. Not surprisingly, it’s a favorite vehicle for delivering malware, impersonation fraud and phishing attacks.
This integration combines Mimecast’s comprehensive cloud-based email security capabilities with Demisto’s security orchestration to help your security teams standardize incident response processes, execute repeatable tasks at scale, and accelerate time to detect and protect against such email-borne attacks.
- Ingest rich Mimecast information (URL lists, message content, attachments, logs, policies, sender info) into Demisto for analyst investigation or automated playbook-driven response
- Manage policies and users from within Demisto as automated tasks or real-time actions
- Run thousands of commands (including for Mimecast) and collaborate with other analysts and Demisto’s chatbot.
- Leverage 100s of Demisto integrations to coordinate response across security functions.
USE CASE #1
Automated email threat alert enrichment and response
When it comes to email threats, time is not your friend. These attacks usually target multiple users simultaneously across the organization and could result in multiple points of infiltration by the attacker. In addition, email attacks can generate a lot of alerts which have to be sifted through manually by your analysts to determine malicious intent. These tasks are repetitive and time-consuming. They cause alert fatigue and take analysts away from actual problem-solving.
Demisto integrates with Mimecast to orchestrate and automate a variety of critical but repeatable actions during incident response. For example, if a suspect URL from a Mimecast alert is ingested into Demisto, the corresponding playbook is automatically executed. This playbook looks up the URL, decodes it and if necessary disarms and sanitizes the URL.
For other Mimecast alerts, playbooks can also be set up to enrich and extract malicious indicators or download and detonate suspicious payloads using your endpoint security sandbox.
Demisto acts as the bridge between Mimecast and other security products that your SOC can use to speed incident resolution. This ensures standardized response and updates and reduced effort and time through automation.
To learn more about our integration with Mimecast, view our joint solution brief:
USE CASE #2
Interactive investigation for complex email threats
Apart from running automated actions, attack investigations usually require additional real-time tasks such as pivoting from one suspicious indicator to another to gather critical evidence, grab and archive evidence and finalize resolution. Running these commands traps your analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.
After running enrichment playbooks, your analysts can gain new actionable information about the attack by running Mimecast commands in the Demisto War Room. For example, if the analyst decides to block a sender, the analyst can run the Mimecast-manage-sender commands to block a sender in real-time without having to switch consoles. The War Room will document all analyst actions and analysts can mark artifacts as evidence for reporting.
The War Room allows analysts to quickly pivot and run unique commands relevant to incidents in their environment from a common window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from a unified console. They will also prevent the need for collating information from multiple sources for documentation. Archived documentation can also be leveraged for future learning.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below.