In today’s constantly evolving cybersecurity landscape, a singular focus on perimeter security is no longer sufficient. There needs to be a shift towards more continuously adaptive identity and behavior-based threat prevention that takes situational context into account. Equally important is the need for prevention measures to coordinate with other security operation processes. Isolated security measures, however effective, will result in a ballooning of alerts and repetition of low-level tasks by security teams.
To meet these challenges, users can combine the adaptive threat prevention capabilities of the Preempt Platform with the security orchestration and automation features of Demisto to accelerate incident response and reduce business risk.
- Ingest Preempt Platform alert data into Demisto to create incidents and trigger playbooks tied to those incidents.
- Bi-directional event enrichment and adaptive enforcement that adapts based on situational context.
- Automate enrichment of alerts as playbook tasks: add or remove users from watchlists, get alert and endpoint details, get time-based activities, and so on.
- Leverage hundreds of Demisto product integrations to further enrich Preempt Platform alerts and coordinate response across security functions.
- Run thousands of commands (including for Preempt Platform) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
USE CASE #1
Automated threat enrichment and response
The fragmented nature of threat prevention and incident response tools can make it tough for SOC teams to track the lifecycle of an incident due to moving between screens, fragmented information, and the lack of single-window documentation. Incident response will also often involve a host of important but repetitive actions that analysts need to perform, leaving them time-strapped for actual problem-solving and decision-making.
SOCs using the Preempt Platform for threat prevention and Demisto Enterprise for security orchestration and automation respectively can automate incident creation and trigger playbooks in Demisto for specific alert types in Preempt Platform. This playbook will orchestrate investigation actions across the entire stack of products that a SOC uses in a single screen and seamless workflow.
For example, analysts can leverage Preempt Platform to enrich alert details, endpoint details, and add users to watchlists as automatable playbook tasks.
Demisto playbooks coupled with Preempt Platform actions can standardize and speed up triage and resolution of security alerts. Analysts get a comprehensive view of the incident’s lifecycle, access documentation from a single source, and forego the need to switch between screens while performing investigation actions.
To learn more about the integration, download our solution brief
USE CASE #2
Interactive, real-time investigation for complex threats
Apart from running automated actions, attack investigations usually require additional real-time tasks such as pivoting from one suspicious indicator to another to gather critical evidence, drawing relations between incidents, and finalizing resolution. Running these commands traps analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.
After running enrichment playbooks, analysts can gain greater visibility and new actionable information about the attack by running Preempt Platform commands in the Demisto War Room. For example, if playbook results throw up user details, analysts can get the list of endpoints accessed by that user in real-time by running the respective Preempt Platform command. Analysts can also run commands from other security tools in real-time using the War Room, ensuring a single-console view for end-to-end investigation.
The War Room will document all analyst actions and suggest the most effective analysts and command-sets with time.
The War Room allows analysts to quickly pivot and run unique commands relevant to incidents in their network from a common window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from the same window. They will also prevent the need for collating information from multiple sources for documentation.
We hope you found this integration overview helpful. To explore Demisto in greater detail, you can access the Free Community Edition below.
Stay tuned for more product integration walkthroughs in the coming weeks.