To drive business transformation, your organization needs to connect previously disparate networks and create new data flows between IT devices, cloud applications and OT systems. The increased business benefits you gain also come with increased risk as threat actors can now move laterally across your newly interconnected networks.
To help you effectively manage security for converging IT and OT networks, Demisto has integrated with Forescout to streamline and automate device monitoring and control across these networks. This enables your security team to manage all your devices and orchestrate actions that mitigate both cyber and operational risk.
- Ingest Forescout alerts to orchestrate IT and OT network security incident response from within Demisto via automated playbooks.
- Get detailed data of IT/OT assets from Forescout for use in automated playbooks and analyst investigations.
- Perform investigation of OT threats originating from IT such as connectivity with infected machines, malware behavior, and unauthorized access.
- Run thousands of commands (including for Forescout) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
USE CASE #1
Automated IT and OT Security Enrichment and Response
Management of OT and IT networks are usually carried out in isolation, creating visibility and consistency issues when it comes to responding against security threats. Internal processes and lack of critical knowledge sharing prevents unified incident handling processes. When an OT threat is detected, it often takes days until the correct measure is approved and implemented, resulting in highly exposed OT networks.
Forescout alerts can be ingested into Demisto Enterprise along with relevant data such as asset details, list of active endpoints, activity history and defined policies. This enables your security team to perform enforcement actions either automatically or upon approval as part of Demisto playbooks that include both IT and OT information. Enforcement actions might include adding firewall and NAC rules, issuing malware scans, and so on.
Forescout alert ingestion into Demisto enables your security team to access all relevant information from a single management platform. Playbooks that coordinate across IT security products and OT environments standardize and accelerate incident handling to minimize operational downtime.
To learn more about integration with Forescout, view our joint solution brief:
USE CASE #2
Interactive, Real-time Investigation for Complex IOT and
While standardized, repeatable playbooks can automate commonly performed tasks to ease analyst load, an attack investigation usually requires additional tasks such as pivoting from one suspicious indicator to another to gather critical evidence, drawing relations between incidents, and finalizing resolution. Running these commands traps analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.
After running enrichment playbooks, analysts can then gain greater visibility and new actionable information about the vulnerability by running Forescout commands in the Demisto war room. For example, analysts can get specific device information and also run commands from other security tools in real-time using the war room, ensuring a single-console view for end-to-end investigation.
The Demisto war room allows analysts to quickly pivot and run unique commands relevant to incidents in their network from a single window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from the same window. They will also prevent the need for collating information from multiple sources for documentation.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below.