New forms of sophisticated cybersecurity threats continually emerge to target enterprises utilizing multiple attack vectors. In this environment, understanding attack components, responding quickly, monitoring endpoint vitals, and ensuring continuous compliance become vital. Analysts need a platform that enables complete visibility over servers, critical systems, and endpoints, while also allowing them to proactively hunt for and respond to threats.
Carbon Black users can now leverage Demisto’s security orchestration and automation capabilities with Cb Defense, Cb Response, and Cb Protection to coordinate application and compliance control, endpoint security, and SOC incident response from a single console.
Carbon Black and Demisto integration features:
- Create Demisto incidents and trigger playbooks in response to Cb Response alerts for enrichment, triage, and resolution.
- Run automation scripts for Cb Defense actions such as quarantining devices, blocking malicious files, and updating watchlists.
- Trigger playbooks in response to Cb Protect policy changes.
- Automate Cb Protect policy actions as playbook tasks.
- Leverage 140+ Demisto product integrations to enrich Carbon Black alerts and coordinate response across security functions.
- Run 100s of commands (including for Carbon Black) interactively via a ChatOps interface while collaborating with other analysts and Demisto AI.
USE CASE #1
Automated endpoint protection and incident response
If SOCs uses different solutions for incident response and endpoint protection, it can be tough to track the lifecycle of an incident due to flitting between screens, fragmented information, and lack of single-window documentation.
If SOCs use Cb Defense for endpoint protection, Cb Response for incident response, and Demisto Enterprise for security orchestration and automation respectively, they can automate incident creation and trigger playbooks in Demisto for specific alert types in Cb Response. This playbook will orchestrate investigation actions across the suite of products that a SOC uses in a single screen and seamless workflow.
For example, analysts can leverage Cb Defense to get alert details, device statuses, and processes as automatable playbook tasks.
Demisto playbooks coupled with Cb Defense actions can standardize and speed up triage and resolution of Cb Response alerts. Analysts get a comprehensive view of the incident’s lifecycle, access documentation from a single source, and forego the need to switch between screens while performing investigation actions.
To learn more about Demisto’s integration with Carbon Black products, download our joint solution brief.
USE CASE #2
Automated security policy and compliance management
As organizations scale, coordinating security policy and software management across heterogenous systems and environments becomes tough. Managers face challenges in unifying security policy actions across disparate networks and tying in these actions with incident response and other security measures.
SOCs can integrate usage of Cb Response, Cb Protection, and Demisto for seamless incident response and policy management. For instance, a Cb Response alert can trigger a playbook in Demisto that, among other things, also checks the Cb Protection console for additional system details and file catalogs. If the incident resolution involves an update to security policy rule sets, this playbook can also orchestrate those tasks instead of leaving them to security policy managers.
Demisto acts as a bridge between Cb Response, Cb Protection, and other security products that a SOC may use to both quicken incident resolution and orchestrate any allied tasks that fall outside the direct purview of incident response. This ensures standardized response and updates, reduced effort and time through automation, and archived documentation for future learning.
With Demisto’s 140+ technology partner base, these use cases just scratch the surface of potential actions analysts can orchestrate using Carbon Black products as one of the components.
If you're new to Demisto and interested in exploring this integration among others, we invite you to sign up for the Demisto Community Edition below.