In today’s ever-changing security landscape, incident response teams often miss out on potential threats that can impact their organization because of evolved attacker techniques. By abusing insider credentials, using existing tools in target environments, and leveraging SSL to legitimize malicious sites, attackers can deceive traditional security products and launch large-scale compromises. Security teams need a platform that can provide deep, real-time network intelligence and harness that information to drive action across security environments.
To meet these challenges, users can combine the network detection and response capabilities of Awake Security with the security orchestration and automation features of Demisto to improve network intelligence and accelerate incident response.
- Automate the enrichment of IPs, domains, email addresses and devices with Awake Security’s automated context as playbook-driven tasks within Demisto.
- Access Awake Security risk score of a device, a comprehensive threat timeline, and evidence of risky behavior from Demisto in real-time.
- Access Awake Security domain risk scores from Demisto to discover previously unknown malicious and suspect domains.
- Access Awake’s threat behavior detections from Demisto that uncover malicious intent by insiders or external actors.
- Retrieve network full packet capture data stored in Awake as required during an investigation in Demisto.
- Leverage hundreds of Demisto product integrations to further enrich Awake Security data and vice versa while coordinating response across security functions.
- Run thousands of commands (including for Awake Security) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
USE CASE #1
Detect and respond to mal-intent from inside and outside actors
Sophisticated attackers have adapted their tactics, techniques, and procedures to avoid malware, instead relying on credential theft and the use of legitimate privileges. Security teams are therefore being asked to look for mal-intent that blends in with business-justified activity. Unfortunately, traditional security solutions struggle to detect this activity and respond in a rapid and consistent manner. Only the most sophisticated threat hunters stand a chance at detection but even that involves time-consuming efforts.
Awake detects mal-intent using a combination of artificial intelligence based behavioral analytics as well as through detection rules that identify known attacker tactics, techniques, and procedures. Threat behaviors triggered using Awake DetectIQ™ will automatically create incidents within Demisto. Analysts can then instantly respond and remediate using orchestration playbooks and the broader set of Demisto integrations within the enterprise.
For instance, the identification of a command and control domain can trigger the automated blocking of that domain at the perimeter as well as the creation of service tickets to remediate the endpoint. Similarly, when Awake detects a compromised credential, Demisto can automatically trigger the suspension of that account while any breach is investigated.
The detection of non-malware activity by Awake Security and the rapid response through Demisto playbooks helps flush out both malicious insiders and outside attackers that have breached the perimeter. Moreover, reduced detection and response times lowers the impact to the organization.
For more information on Demisto's integration with Awake Security, view our joint solution brief
USE CASE #2
Automated network detection and response
The disparate nature of network intelligence and incident response tools can make it tough for SOC teams to track the lifecycle of an incident due to moving between screens, fragmented information, and the lack of single source of truth. Incident response will also often involve a host of important but repetitive actions that analysts need to perform, leaving them time-strapped for actual problem-solving and decision-making.
SOCs using Awake Security for network detection and Demisto Enterprise for security orchestration and incident response respectively can automate threat enrichment through Demisto playbooks. These playbooks will harness Awake Security EntityIQ™ for rich context and risk profiles of devices, users, domains and use that information to execute actions across the entire stack of products that a SOC uses.
For example, analysts can create automatable playbook tasks that pivot from an IP address to automated contextual information such as device name, type, associated users, threat profile, and timeline from Awake Security.
Demisto playbooks coupled with Awake Security actions can standardize and speed up triage and resolution of security alerts. Analysts get a comprehensive view of the response workflow on a single screen. With repeatable tasks now automated, analyst time is freed up for deeper investigation and strategic action.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our Community Edition below.