The new age of business and technology is marked by rapid product development and personalized user experiences. But these developments have brought with them an expanded threat landscape and a set of security hurdles to overcome.
From an incident response standpoint, security teams and IT teams are usually isolated, leading to console-switching, repetitive manual actions, and a lack of visibility during incidents that require joint response. From a DevSecOps point of view, it’s also tough to reconcile traditional security measures with the agile, proactive, and iterative nature of DevSecOps processes.
- Automate ingestion of PagerDuty events within Demisto for playbook-driven enrichment and response.
- Submit and resolve PagerDuty events from within Demisto, either as an automated task or in real-time.
- Get call schedules, users on call, contact methods, and notification details from PagerDuty within Demisto for improved incident oversight and cross-departmental coordination.
- Leverage hundreds of Demisto product integrations to further enrich PagerDuty events and coordinate response across security and IT functions.
- Run thousandsof commands (including for PagerDuty) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
USE CASE #1
Automated and coordinated incident response across security and IT teams
IT and security incident response usually have different definitions, processes, and escalation patterns, resulting in both teams working in isolation. This creates issues in enforcement and response to threats that concern both security and IT teams. Internal processes and lack of critical knowledge sharing prevents unified incident handling, leading to information asymmetry across teams, piecemeal processes, and a lack of accountability.
Teams can use the bidirectional integration between PagerDuty and Demisto to access IT events that need security participation and vice versa. To illustrate one of the two alternatives, PagerDuty event data can be ingested into Demisto to trigger standardized and automatable playbooks. These playbooks can enrich the event with more details from PagerDuty as well as coordinate actions across other products to gather wider context without the need for screen switching and manual repetition.
For example, if security and IT teams need to coordinate response to a cloud security incident, a Demisto playbook could query PagerDuty to get scheduling data and access the list of users on call while also gathering intelligence from AWS tools in parallel.
Within PagerDuty, users can leverage defined rule-sets to notify specific personas depending on incident severity and context. For example, while handling a breach notification process, users can notify on-call IT team members, legal advisors, and representatives from the executive team respectively.
Leveraging PagerDuty’s personnel management and scheduling along with actions from other products through a common playbook helps unify response processes across security and IT teams. Playbooks also minimizing screen switching, manual reconciliation of data, and repetitive work for security teams.
To learn more about our integration with PagerDuty, view our joint solution brief:
USE CASE #2
Enabling agile security within a DevSecOps tool stack
Organizations with a DevSecOps mindset are defined by agile product development, rapid cross-team collaboration, and quick iteration on a security front. Weaving security into the entire product lifecycle puts the onus on teams to be proactive, work together, and ensure that their tool stack displays robust interconnectivity. Organizations on a DevSecOps journey will need to prevent isolated tools, teams, and processes.
Demisto’s security orchestration combined with PagerDuty’s granular escalation features provides a vital connective layer across the vast number of tools that are used within DevSecOps. Demisto playbooks utilizing PagerDuty actions can ensure rapid enforcement across tools while also alerting the appropriate team members for further investigation.
For example, a playbook can be triggered due to vulnerabilities detected by a vulnerability management tool. This playbook can automate deprovisioning of AWS cloud instances, close vulnerable ports if required, and leverage PagerDuty to inform the personnel on-call to take over.
DevSecOps is a journey without an end-state, and Demisto’s integration with PagerDuty provides teams with the agility, cross-team visibility, and standardized response to security issues to continue that journey with confidence.
USE CASE #3
Conversational and real-time investigation for complex threats
Standardized processes are not enough for responding to every security alert. Apart from running automated actions, attack investigations usually require additional real-time tasks such as pivoting from one suspicious indicator to another to gather critical evidence, drawing relations between incidents, and finalizing resolution. Running these commands traps teams in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.
After running enrichment playbooks, security teams can gain greater visibility and identify relevant IT personnel that need to be informed by running PagerDuty commands in the Demisto War Room. For example, if event and user data is ingested from PagerDuty into Demisto, security teams can run commands such a pagerDuty-get-contact-methods and pagerDuty-get-users-notification in real-time to get users’ contact methods and notification rules respectively. Teams can also run commands from other security tools in real-time using the War Room, ensuring a single-console view for end-to-end investigation.
The War Room will document all analyst actions and suggest the most effective analysts and command-sets with time.
The War Room allows analysts to quickly pivot and run unique commands relevant to incidents in their network from a common window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from the same window. They will also prevent the need for collating information from multiple sources for documentation.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below.