We're pleased to have had the opportunity to interview two analysts from WestJet, a Canadian airline founded in 1996. WestJet has been a Demisto customer since April 2019 and presented their automation journey this summer, at Palo Alto Networks Ignite.
In this blog, you'll find bits of our interview with WestJet, which highlight the challenges they faced pre-automation, the successes they have had after implementing SOAR in their SOC, and their future plans with Demisto.
What were some of the challenges you faced that led you to look at Demisto?
The incident response challenges we faced were probably similar to those of every other organization. There were way too many alerts, way too many tools. The alerts, tools and workloads were growing at an exponential rate and that didn't match our rate of hiring people. And we weren't interested in building out a massive security team.
We needed a better way to solve those challenges. So we looked for a way to take the mundane work away from our security teams so that they can focus on the more advanced cases.
What is your most popular use case now and how did you implement it?
Our most popular use case at the moment is vulnerability management. We spend a lot of time generating reports for management and other teams on the vulnerabilities in our environment, how to fix them, and which teams they impact. It was a very manual effort and a lot of focus was often spent on creating and delivering these reports.
The focus should be on how do we get the vulnerabilities out of our environment. We talked about it at the Ignite event earlier this year, showing how we took a lot of that manual work away with Demisto automation. That leaves our security teams able to focus on the vulnerabilities themselves and helping other teams remediate them out of our environment, which reduces our overall risk and impact.
To see a demo of how WestJet uses Demisto, watch their speaking session from Palo Alto Networks Ignite 2019 here:
What was the implementation process like?
We did a POC with Demisto earlier in the year where we got familiar with the platform, how the automations work, how the integrations work, and then we kind of took off from there. It was a few weeks of effort to go from no playbook to a fully automated playbook that delivers those reports. It was quick. Yeah, and the amount of effort we put into the automation pays off in the future as the automation takes care of all the manual work that our analysts were doing.
How long did it take for someone to manually do the task compared to with the automation in place?
In the video, we showed one of our analysts doing vulnerability management manually, extracting the report, opening a ServiceNow ticket. It took eight minutes to just generate one report per team and we've got about 30 teams, and that was just the critical vulnerabilities. With the playbook in Demisto, it took about 10 seconds to pull the same information and generate that same report for that team. And that’s without any human intervention.
How’s the experience been so far?
It's been great. We can work with our security team to talk about the regular tasks they do everyday that are repeatable and that are candidates for automation. and we're able to take that work away from them so that, Whether it's vulnerability management or phishing, account provisioning, we are assured that some of the work is being taken care of in an automated fashion by Demisto, freeing up their time to go look at other things or identify other ways we can improve or automate with Demisto.
What's your favorite part of the product?
I like how we can write quick scripts to do automation and quickly deploy them with Demisto. Whether it's a simple Python script that calls out to an API where there was an integration out of the box, I can go from no integration to a fully functional one in PROD in a couple of hours. As a developer, as a dev ops guy, that's awesome, right?
What are your future plans for automation?
For future plans with Demisto, use your imagination. We went after some of the more manual tasks that our analysts were complaining about or performing today to ease the workload for them. But the end goal is - whether it's responding to a threat or an alert from the SIEM or any other source, we want Demisto to initiate the action on that alert - so we can automate the life cycle on remediation of that alert or whatever else that needs to happen.
Rather than running around and responding differently every day, we want to use the playbooks to standardize our approach to security. So if an alert comes in, these are the things that happen automatically and these are the things that we assign a task or manual ticketing for, etc.
We hope you found this interview useful. To explore SOAR in greater detail, you can download our Security Orchestration for Dummies ebook below.