To learn more about Demisto's product integration with RSA Archer, read our blog.
Cutting Through Network Noise
Security teams face unique challenges in today’s data-heavy landscape with sophisticated attackers and vast threat surfaces. Separating insights from noise, battling a growing number of alerts sans enrichment, and coordinating between multiple security products all weigh heavily on the security analyst’s mind.
Here, we will show how combining RSA NetWitness’s security and network analytics features with Demisto’s security orchestration and automation capabilities can provide analysts with a deep investigative toolkit to resolve incidents quicker and with more accuracy.
Using Demisto and NetWitness, you can:
- Ingest NetWitness alerts data into Demisto Enterprise.
- Trigger playbooks for enrichment and resolution of NetWitness alerts.
- Leverage 140+ Demisto product integrations to enrich NetWitness alerts.
- Run 150+ NetWitness commands interactively via a ChatOps interface while collaborating with other analysts and Demisto AI.
USE CASE #1
Extracting context from investigation data
During investigations, analysts need to check indicators, find out whether they are malicious, and weave a contextual thread through the endless holes of data at their disposal. Faced with many indicators sans context, this can be a repetitive and time-consuming process.
After ingesting alert data from NetWitness, analysts can leverage actions from 140+ security products to enrich the NetWitness database. For example, they can detonate suspicious hashes in a sandbox for further study, query other threat intelligence tools for indicator reputation, and update endpoint databases in case malicious indicators are found.
Analysts can also pull and add packet captures from external sources using Demisto orchestration, as well as update NetWitness databases through the bi-directional integration.
Demisto also uses hypersearch to give analysts critical context about the indicators associated with an incident. Analysts can view indicator malice, repeating patterns, and cross-correlations at a glance in both the work plan and war room windows.
Contextual viewing of data allows for quicker identification of remediation procedures and running the respective playbooks/actions to curtail the incident. Orchestrating security actions from multiple products in one window saves screen switching time, gives a better visual representation of alert data in one place, and enables further enrichment of individual sources through bi-directional integrations.
To learn more about Demisto’s integration with RSA NetWitness, read our joint solution brief:
USE CASE #2
Interactive investigations for deeper breach study
While conducting joint investigations, analysts struggle with attaching task-level accountability, documenting actions in one source, and learning from each other’s actions to reduce marginal time to incident resolution.
After the playbooks have run, analysts can conduct joint investigations in the Demisto War Room and run 150+ NetWitness specific commands – apart from hundreds of others – to carry out an interactive investigation for more sophisticated alerts. For example, analysts can search for pattern matches across sessions or packets, perform queries against the meta database, and cache NWD files for future retrieval.
All participating analysts will have full task-level visibility of the process followed, be able to run and document commands from the same window, and eschew the need for collating information from multiple sources for documentation.
With the depth and variety of API calls available for the NetWitness and Demisto integration, these use cases just scratch the surface of potential actions analysts can orchestrate across their security product suite.
If you are new to Demisto and interested in exploring this integration among others, we invite you to sign up for the Demisto Community Edition below.