[webinar] a new year, a new soc - go.demisto.com · week ir process: no consistent process, no...

Confidential © 2018 Demisto. All Rights Reserved.

[Webinar]

A New Year, a New SOC

How Carbon Black & Demisto

Future-Proof Your SOC


Introductions

• Ask questions by using text box in right hand area

of the GoToWebinar platform, as the audience will

be on mute

• Everyone will receive recording and slides by

Monday

• Speakers

Rick McElvoy, Security Strategist at Carbon Black

Rishi Bhargava, Co-founder of Demisto Rishi BhargavaCo-Founder

Demisto

Rick McElvoySecurity Strategist

Carbon Black


Why the Carbon Black / Demisto Partnership?

• Orchestrate endpoint protection, compliance actions, and

threat hunting through playbooks

• Accelerate investigations by using collaboration and

automation along side with rich end point forensics data

• Reduce the MTTR with automated block actions with

approval

Automate endpoint protection, application control and incident

response


Stop the Most AttacksMost Proven Next-Generation Endpoint Security

Confidential © 2018 Carbon Black. All Rights Reserved.

Building a Highly Effective,

High-Speed SOC


What Makes a High Speed SOC? Capabilities … Not functions

People

Intelligence

Automation

SOC

People

Intelligence

Automation


What Can You Control?

TECHNOLOGY

Hire more humans?

Get better intel?

Invest in newer tools?


• Document, document, document

• Create a rapid feedback loop

Think Agile

• Build in flexibility and agility

Before We Get to Automation …We have to Talk About Process


• Automation at multiple points

Assessments

Response

Remediation

Threat Feeds

Ticketing

Change Management Reviews (Normal)

• Tools are integrated at multiple levels

1 -1

1- Many

API’s, API’s, API’s

• Convergence of Detection, Prevention, Logging and Response

Platforms

Automation


• Point Security Solutions are useless

• Integration at multiple points

• Needs to fit the team

Teams need the right tools at the right time not all the tools all the time

• Technology should be used to enable

People

Process

Intel

Technology


Automation, Orchestration and Beyondfrom the War Room to the Board Room


SOC Challenges

Growing Alerts: >10K alerts per week

IR Process: No consistent process, no metrics/run over email

Lack of Skilled analysts: 2 million analysts shortage

Long MTTR & Risk:Weeks to resolve each detected incident

“Our MTTR is too long.

Every added day

translates into lost

money and company

brand risk”

– CISO

“The few, experienced

security experts are

overwhelmed with the

growing number of

alerts.”

– SOC Director

“I spend too much

time with too many

products to manage

incident response.”

- IR Analyst


A NEW MODEL IS NEEDED


Why Demisto?

Automation and Orchestration

Increase efficiency and leverage existing investments

Collaboration and Learning

Enhance team performance with collaboration and machine learning

Complete Case Management

Incident response

process, track metrics

and goals

The connected fabric for your security infrastructure and teams




Incident response


and goals





Why Demisto?


Stage 1

Consistent and

documented process

Stage 2

Automate redundant

and repeatable steps

Stage 3

Enhance team

performance and

learning

SOC ChallengesWhy Demisto?

Reduced MTTR & Reduced

Operational Risk



Incident response


and goals






• Automate Playbooks for

Incidents and Security Operations

• Automation Playbooks:

120+ Extensible Integration |

~1000 Security Actions

• Historical correlation of all

Indicators across incidents

• Auto-detection of indicators

and STIX import

• Import STIX and analyze indicators

cross incidents

• Comprehensive SLA

Tracking & Metrics

• Evidence Collection and Journaling

• Meets Regulatory Mandates

and Compliance

• Real-Time Collaboration

and Hand-Offs

• DBot ChatOps capability for

real-time interactive investigation

with experts and tools

• Auto Documentation for all

investigation actions

Case Management, Automation & Collaboration

Demisto Enterprise

Real-Time Interactive Investigation

Incident ManagementIntelligent Automation

Threat Management

*Learning DBot empowers Tier 1 through 3 analysts


Get Smarter with Each Incident

• DBot learns from analyst actions

and historical information

• Custom suggestions for incident

assignment

• Identify experts for each type of

incident

• Best products and commands

suggestions for resolving incidents

DBot: Force multiplier for your analysts


The Demisto Community

Build IR playbooks and automation scripts

• Over ~1000 automations to use for free and contribute back

• Based on the open COPSstandard

Share security playbooks, tools, and knowledge with peers

2,600 security experts and

growing from 53 time zones

Open source integrations

and automations

Open Playbook Standard

(COPS)

The Largest IR community


Integration DemoSee the power of Carbon Black & Demisto together


Q&ATaking live questions


Questions & Resources

• Follow-up email will be sent with webinar recording

• Resources

[Solution Brief]: Learn more about the Carbon Black and Demisto

integration

https://goo.gl/rwsDW7

[Carbon Black White Paper]: Building a High-Speed SOC

https://goo.gl/cqKvrU

[Gartner SOAR Report]: See how Demisto meets your Security

Orchestration, Automation, and Response needs

https://goo.gl/cHJa4X

https://goo.gl/rwsDW7

https://goo.gl/cqKvrU

https://goo.gl/cHJa4X

[webinar] a new year, a new soc - go.demisto.com · week ir process: no consistent process, no...

Documents