For many organizations, thousands of alerts are generated by security systems every day, making it impossible for security teams to prioritize files according to risk and severity without having to weed through false positives. As a result, valuable time is wasted between detection and response, while threats continue to manifest within the network. Shortening investigation and response time is a constant challenge and security teams need a solution that helps them focus on what's critical and reduces their mean time to respond.
The Intezer and Demisto integration equips security teams with an efficient workflow for security orchestration, malware analysis and incident response. Organizations are empowered to improve malware analysis accuracy with code reuse and similarity detection with every single alert. Security teams can coordinate malware analysis with other security processes via a single platform that gives them rich incident context, automated actions, and a collaborative workspace to accelerate incident response.
- Orchestrate Intezer's Genetic Malware Analysis into an existing security pipeline via task-based playbooks.
- Automatically analyze any suspicious files with Intezer Analyze within Demisto to obtain a comprehensive report, including the verdict and malware classification.
- Trigger automated playbooks within Demisto to add accurate context to alerts.
- Leverage hundreds of Demisto product integrations to further enrich Intezer data and coordinate responses across security functions.
- Run thousands of commands interactively (including Intezer Analyze) while collaborating with other analysts and Demisto's chatbot.
Use Case #1
Automated malware analysis and validation
SOC and Incident Response teams expend resources and analysis time chasing false positives. They need to prioritize alerts quickly according to risk and severity, without missing critical incidents.
SOCs can have standardized playbooks that run automatically and query Intezer for malware analysis. Invoking a pre-designed Demisto playbook will automatically upload any suspected file or hash to Intezer Analyze. Intezer’s Genetic Malware Analysis will analyze and classify the file or hash based on code reuse and similarities. The file is then deeply analyzed at the machine-code level and classified as legitimate or malicious, to give SOC teams the insights needed for incident evaluation. If an incident poses a higher risk, security teams can respond quickly and effectively to ensure the threat does not spread through the network.
SOC teams deploying this integration will achieve accurate malware analysis at scale, enabling them to instantly investigate and classify malware alerts within seconds. False positives will be reduced with the identification of code reuse in trusted and malicious software. Analysts can better prioritize alerts based on verdict, classification, and the threat actor behind the attack, shortening their detection-to-response time from hours to minutes. Also, by aligning malware analysis with other concurrent security functions, these playbooks ensure that security teams have central visibility over incident response processes.
To learn more about Demisto's integration with Intezer, view our joint solution brief
USE CASE #2
Malware incident classification and enrichment
Beyond the standard incident response process, attack investigations also require accurate context-based analysis of threats and relevant actionable intelligence to better target response. However, this process is typically done manually and requires specialized threat hunting expertise. Unfortunately, there is a skills gap where many organizations do not have a dedicated team of malware experts adept at reverse engineering threats.
After running an automated malware analysis playbook, analysts can gain greater visibility and obtain new actionable information about the attack by running Intezer commands interactively in the Demisto War Room. For example, after detecting the file as malicious, analysts will receive additional enriched information. Whether the threat is a nation-sponsored attack or a generic piece of malware, security teams are armed with critical insights such as string reuse, malware family, related samples, and threat actor attribution, enabling them to better understand what threat they are facing and tailor the right response accordingly.
Threats are automatically classified according to the relevant malware family and threat actor, providing context which is crucial for security teams in remediation. This helps the incident response team make better decisions by understanding the capabilities or intent of malware. By providing insights on automated reverse engineering, Demisto and Intezer can help bridge technical skill gaps within SOC teams.
Additionally, the War Room enables all participating analysts to have full task-level visibility of the process followed, run and document commands from the same window, and prevent the need for collating information from multiple sources for documentation.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below.