Clear the Fog of War
Security teams are wilting under dual pressures. On one hand, alert numbers are rising as a surfeit of security tools all ping off disparate alarms. Analysts are hard-pressed to extract context and visibility from this mire of data. On the other hand, security investments are being looked at more discerningly, requiring SOCs to focus on scalable, repeatable response processes that run the gamut from alert ingestion to remediation.
To help alleviate these challenges, users can now integrate PacketSled’s network visibility and threat hunting capabilities with Demisto’s security orchestration and automation features to increase investigation depth and accelerate response times. The PacketSled-Demisto integration accelerates search and investigation during the triage process by leveraging PacketSled’s platform APIs and investigative methodology.
Effective today, using a Demisto playbook, users can:
- Actively investigate network traffic based on simple search strings like IP address, hostname, traffic type, and others across PacketSled indexes.
- Grab extracted files from PacketSled sensors for analysis using Demisto’s orchestration playbooks in the same workflow.
- Capture and retrieve full packet capture using the same playbook, enabling SOC workflow from alert to raw data simply and quickly.
- Run PacketSled’s API commands in real-time (along with 100s of other products) through a command-line interface for interactive investigations.
Collapsing multiple triage capabilities from PacketSled and other products into a single playbook enables rapid and decisive investigation and collection of immutable truth through Demisto.
USE CASE #1
Extracting context from investigation data
During investigations, analysts need to check indicators, find out whether they are malicious, and weave a contextual thread through the endless holes of data at their disposal. Faced with many indicators sans context, this can be a repetitive and time-consuming process.
After ingesting alert data from PacketSled, analysts can leverage automated actions from 160+ security products to further enrich the alert. They can pull packet captures, query extracted files, and get sensor metadata by leveraging PacketSled APIs in automated playbook tasks. Demisto also uses hypersearch to give analysts critical context about the indicators associated with an incident. Analysts can view indicator malice, repeating patterns, and cross-correlations at a glance in both the Work Plan and War Room windows.
Contextual viewing of data allows for quicker identification of remediation procedures and running the respective playbooks/actions to curtail the incident. Orchestrating security actions from multiple products in one window saves screen switching time, gives a better visual representation of alert data in one place, and enables further enrichment of individual sources through bi-directional integrations.
USE CASE #2
Real-time investigations for accelerated, informed response
Complex alerts are rarely remediated purely through standardized, automated workflows. Analysts are often required to conduct real-time investigations, suffering from working in silos and shifting between console screens in swivel-chair exercises while doing so. They are also challenged with attaching task-level accountability, documenting actions in one source, and learning from each other’s actions to reduce marginal time to incident resolution.
After standardized playbooks have run, analysts can conduct joint investigations in the Demisto War Room and run multiple PacketSled-specific commands – apart from hundreds of others – to carry out an interactive investigation for more sophisticated alerts. For example, analysts can run tailored search commands to retrieve event and incident details from PacketSled based on UID, time range, and severity.
All these actions are documented in the War Room for posterity and learning, improving the fidelity and speed of incident response with time.
All participating analysts have full task-level visibility of the process followed, are able to run and document commands from the same window and avoid the need for collating information from multiple sources for documentation.
Rishi Bhargava, Demisto co-founder and VP of Marketing added: “We are looking forward to getting this into the hands of our clients, as it is a great move toward simplifying their workflow. Demisto’s award-winning platform is constantly improving the lives of our customers by integrating across the leading security products, such as PacketSled.”
“PacketSled’s exploration and investigation capability enables analysts and responders to gather forensic artifacts through Demisto’s workflow. The orchestration of incident export, file extraction, PCAP analysis and triage through a playbook introduces SOC analysts to the simplicity of automation in workflow. As a critical platform component in the defender’s tool chain, Demisto’s PacketSled integration empowers analysts to investigate entities, automate evidence collection and context during investigations efficiently and easily,” said Fred Wilmot, CTO at PacketSled.
If you'd like to explore Demisto's PacketSled integration and other features further, download the Free Community Edition below.