In today’s security landscape, threat actors use multiple entry vectors and attack techniques to target organizations. With so many moving parts, security teams struggle to reconcile data from isolated malware analysis and threat intelligence tools, among others. They lose valuable time shuttling between screens and executing repeatable tasks while the attack continues to manifest. Analysts need a platform that unifies data from IOC threat intelligence, malware analysis, and other sources on one console, resulting in rich incident context and accelerated response without tab-switching and manual rework.
Users can combine Cisco Threat Grid’s malware analysis and threat intelligence capabilities with Demisto’s security orchestration and automation features to standardize their response processes, increase analyst productivity, and reduce time to detection and remediation.
- Ingest threat feed data from Threat Grid into Demisto and run tailored automated playbooks to add context to alerts as well as respond to alerts.
- Orchestrate Threat Grid sandboxing actions along with other security products in one window through Demisto playbooks.
- Leverage hundreds of Demisto product integrations to further enrich Threat Grid alerts and coordinate response across security functions.
- Run thousands of commands (including for Threat Grid) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
Use Case #1
Automate sandbox detonation and malware triage
As alert numbers grow, analysts find it tough to keep up with the repetitive, high-quantity tasks that encompass malware triage and sandbox detonation for further study. This can eventually lead to increased error rate, incomplete investigations, and alerts slipping through the cracks.
SOCs can have standardized playbooks that run automatically when certain alerts are ingested from Threat Grid. These playbooks can perform checks to initiate triage, run detonation actions, and return the reports to the analysts for subsequent investigation.
Analysts will save lots of time and redundant effort by automating triage and detonation tasks, saving their energies for more cerebral and sophisticated investigation tasks. This will also ensure standardized response, reduced error rate, and no alerts slipping through the cracks.
To learn more about our Cisco Threat Grid integration, read the solution brief below
Use Case #2
Interactive investigations for deeper malware study
While conducting joint investigations, analysts struggle with attaching task-level accountability, documenting actions in one source, and learning from each other’s actions to reduce marginal time to incident resolution.
After the playbooks have run, analysts can conduct joint investigations in the Demisto War Room and run 35+ Threat Grid specific commands – apart from hundreds of others – to carry out an interactive investigation for more sophisticated alerts. For example, analysts can run commands to get network stream data, PCAP data, and reports specific to an alert ID.
All participating analysts will have full task-level visibility of the process followed, be able to run and document commands from the same window, and eschew the need for collating information from multiple sources for documentation.
We hope you found this integration overview helpful. To explore Demisto in greater detail, you can access the Free Community Edition below.
Stay tuned for more product integration walkthroughs in the coming weeks.