As applications move to the cloud and users are increasingly remote, the Internet has become the new corporate network. But the internet is not something anyone controls, so how can one secure it? Zscaler solves this problem for customers by focusing on connecting the right users to the right applications, irrespective of where the users are located.
Now, users can leverage the web security (including sandboxing, cloud firewall, content and URL filtering, advanced threat protection) capabilities of Zscaler with the security orchestration and automation features of Demisto Enterprise.
- Leverage Zscaler’s malware analysis results within Demisto, either as automated playbook tasks or in real-time.
- Execute Zscaler indicator management actions within Demisto as playbook tasks or in real-time.
- Leverage 100s of Demisto product integrations to further enrich Zscaler data and coordinate response across security functions.
- Run thousands of commands (including for Zscaler) interactively via a ChatOps interface while collaborating with other analysts.
USE CASE #1
Automated Incident Enrichment and Response
There is often a mismatch between the high-volume nature of alerts and analyst agility in response to them. Incident response tasks such as attack identification, triage, reputation checks, and response actions involve switching between multiple screens, mundane and repeatable tasks, and lost time dealing with false positives.
Analysts can use Zscaler actions within Demisto playbooks to standardize and scale response to incidents. This playbook retrieves malware analysis results and indicator reputation, extracting wider context without the need for screen switching and manual repetition.
If malicious indicators are found, Demisto can leverage Zscaler to get full or summary sandbox report which can then be used for further analyst investigation or to activate remediation actions.
Playbooks automate a host of actions across products so that analysts have a wealth of information at their fingertips while starting incident investigation. Automating Zscaler lookups can save screen switching time and orchestrating other product actions in the same window can help analysts look across security functions for richer and deeper incident context.
Moreover, conditional tasks within playbooks helps reduce false positives and ensure that analysts investigate incidents that have been confirmed as malicious.
USE CASE #2
Interactive, Automated and Real-time Investigation for Complex Threats
While automated playbooks can perform repetitive tasks, an attack investigation usually requires the gathering of critical evidence, drawing relations between incidents, and finalizing resolution. Performing these tasks involve a lot of screen-switching during investigation and there’s usually a documentation-chasing cycle after investigations end.
Analysts can then gain new actionable information about the attack by running Zscaler commands in the Demisto War Room. For example, analysts can run the zscaler-get-blacklist and zscaler-blacklist-url commands to get the default blacklist and add a URL to a blacklist respectively. Analysts can also run commands from other security tools in real-time using the War Room, ensuring a single-console view for end-to-end investigation.
The War Room automatically documents all analyst actions, making it easy to spin up post-incident reports.
For example, a playbook can be triggered due to vulnerabilities detected by a vulnerability management tool. This playbook can automate deprovisioning of AWS cloud instances, close vulnerable ports if required, and leverage PagerDuty to inform the personnel on-call to take over.
Demisto playbooks can automate a host of steps, interacting with multiple intel sources, to accelerate the investigative process in threat hunting. Furthermore, the War Room also allows analysts to quickly pivot and run unique commands relevant to threat case or incident in their network from a common window. All participating analysts will have full task-level visibility into the process and be able to run and document commands from the same window. They will also prevent the need for collating information from multiple sources for documentation.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below.