New and sophisticated cybersecurity threats are continually emerging to target enterprises, utilizing multiple attack vectors and evolving entry points. In this environment, displaying accuracy and agility during incident analysis and response become critical. Analysts need a tool stack that primes the SOC for scalable, standardized enrichment and remediation actions that coordinate across security products.
Users can now leverage Demisto’s security orchestration and automation capabilities with Check Point’s SandBlast (both Appliance and Cloud) as well as Next Generation Firewall solutions for automated malware analysis, firewall rule management, and threat protection.
- Automate malware sample analysis in Demisto playbooks using Check Point SandBlast.
- Block IP addresses from within Demisto using Check Point Next Generation Firewall.
- Automate firewall rule visibility, creation, and deletion in Demisto playbooks using Check Point NGFW.
- Leverage hundreds of Demisto product integrations to enrich data from Check Point solutions and coordinate response across security functions.
- Run 1000s of commands (including for Check Point products) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
USE CASE #1
Automated malware analysis and threat protection
When responding to alerts, time is of the essence. This time constraint is often at odds with the vast array of security products analysts have to navigate while extracting context and driving response to incidents. Many of these product-specific tasks, while essential to incident response, are menial and time-consuming, miring analysts in fatigue and preventing them from actual problem-solving.
SOCs can integrate usage of Demisto Enterprise with multiple Check Point products – SandBlast and Next Generation Firewall – to orchestrate and automate a variety of critical but repeatable actions during incident response. For instance, Demisto playbooks can automate file detonation and malware analysis using SandBlast, and indicator blocking using NGFW.
These actions can also be run in real-time from an incident’s War Room, ensuring that results are stored in a central location for further study and individual product consoles don’t need to be accessed for every task.
Demisto acts as a bridge between Check Point products and other security products that a SOC may use to both quicken incident resolution and orchestrate any allied tasks that fall outside the direct purview of incident response. This ensures standardized response and updates, reduced effort and time through automation, and archived documentation for future learning.
For more information on Demisto's integration with Check Point, view our joint solution brief
USE CASE #2
Proactive and scheduled firewall policy management
As organizations scale, coordinating day-to-day security operations in addition to incident response across heterogenous environments becomes tough. Managers face challenges in unifying security policy actions across disparate networks and tying in these actions with incident response and other security measures.
Demisto playbooks using Check Point NGFW can be scheduled as ‘Jobs’ to run at pre-determined intervals for firewall policy management. For example, a playbook might run once every day, check malicious indicators against existing NGFW rules, and update rules as and when it spots a malicious indicator that slipped through the cracks. Conversely, the playbook can also remove safe indicators that were incorrectly placed in blacklists.
These playbooks can also be tied in or ‘nested’ within response playbooks, ensuring that both proactive and reactive grounds are covered with respect to cyberdefense.
By partially/fully automating a vital part of security operations like firewall policy management, security teams ensure that their environments are less vulnerable and more prepared as and when breaches occur. These scheduled ‘Jobs’ also free up analyst time for more strategic problem-solving, measurement, and execution of long-term security improvements.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can register for our monthly product demo webinar below.