Upload
lamxuyen
View
221
Download
7
Embed Size (px)
Citation preview
Confidential © 2018 Demisto. All Rights Reserved.
[Webinar]
A New Year, a New SOC
How Carbon Black & Demisto
Future-Proof Your SOC
Confidential © 2018 Demisto. All Rights Reserved.
Introductions
• Ask questions by using text box in right hand area
of the GoToWebinar platform, as the audience will
be on mute
• Everyone will receive recording and slides by
Monday
• Speakers
Rick McElvoy, Security Strategist at Carbon Black
Rishi Bhargava, Co-founder of Demisto Rishi BhargavaCo-Founder
Demisto
Rick McElvoySecurity Strategist
Carbon Black
Confidential © 2018 Demisto. All Rights Reserved.
Why the Carbon Black / Demisto Partnership?
• Orchestrate endpoint protection, compliance actions, and
threat hunting through playbooks
• Accelerate investigations by using collaboration and
automation along side with rich end point forensics data
• Reduce the MTTR with automated block actions with
approval
Automate endpoint protection, application control and incident
response
Confidential © 2018 Demisto. All Rights Reserved.
Stop the Most AttacksMost Proven Next-Generation Endpoint Security
Confidential © 2018 Carbon Black. All Rights Reserved.
Building a Highly Effective,
High-Speed SOC
Confidential © 2018 Carbon Black. All Rights Reserved.
What Makes a High Speed SOC? Capabilities … Not functions
People
Intelligence
Automation
SOC
People
Intelligence
Automation
Confidential © 2018 Carbon Black. All Rights Reserved.
What Can You Control?
TECHNOLOGY
Hire more humans?
Get better intel?
Invest in newer tools?
Confidential © 2018 Carbon Black. All Rights Reserved.
• Document, document, document
• Create a rapid feedback loop
Think Agile
• Build in flexibility and agility
Before We Get to Automation …We have to Talk About Process
Confidential © 2018 Carbon Black. All Rights Reserved.
• Automation at multiple points
Assessments
Response
Remediation
Threat Feeds
Ticketing
Change Management Reviews (Normal)
• Tools are integrated at multiple levels
1 -1
1- Many
API’s, API’s, API’s
• Convergence of Detection, Prevention, Logging and Response
Platforms
Automation
Confidential © 2018 Carbon Black. All Rights Reserved.
• Point Security Solutions are useless
• Integration at multiple points
• Needs to fit the team
Teams need the right tools at the right time not all the tools all the time
• Technology should be used to enable
People
Process
Intel
Technology
Confidential © 2018 Demisto. All Rights Reserved.
Automation, Orchestration and Beyondfrom the War Room to the Board Room
Confidential © 2018 Demisto. All Rights Reserved.
SOC Challenges
Growing Alerts: >10K alerts per week
IR Process: No consistent process, no metrics/run over email
Lack of Skilled analysts: 2 million analysts shortage
Long MTTR & Risk:Weeks to resolve each detected incident
“Our MTTR is too long.
Every added day
translates into lost
money and company
brand risk”
– CISO
“The few, experienced
security experts are
overwhelmed with the
growing number of
alerts.”
– SOC Director
“I spend too much
time with too many
products to manage
incident response.”
- IR Analyst
Confidential © 2018 Demisto. All Rights Reserved.
A NEW MODEL IS NEEDED
Confidential © 2018 Demisto. All Rights Reserved.
Why Demisto?
Automation and Orchestration
Increase efficiency and leverage existing investments
Collaboration and Learning
Enhance team performance with collaboration and machine learning
Complete Case Management
Incident response
process, track metrics
and goals
The connected fabric for your security infrastructure and teams
Confidential © 2018 Demisto. All Rights Reserved.
The connected fabric for your security infrastructure and teams
Complete Case Management
Incident response
process, track metrics
and goals
Automation and Orchestration
Increase efficiency and leverage existing investments
Collaboration and Learning
Enhance team performance with collaboration and machine learning
Why Demisto?
Confidential © 2018 Demisto. All Rights Reserved.
Stage 1
Consistent and
documented process
Stage 2
Automate redundant
and repeatable steps
Stage 3
Enhance team
performance and
learning
SOC ChallengesWhy Demisto?
Reduced MTTR & Reduced
Operational Risk
The connected fabric for your security infrastructure and teams
Complete Case Management
Incident response
process, track metrics
and goals
Automation and Orchestration
Increase efficiency and leverage existing investments
Collaboration and Learning
Enhance team performance with collaboration and machine learning
Confidential © 2018 Demisto. All Rights Reserved.
• Automate Playbooks for
Incidents and Security Operations
• Automation Playbooks:
120+ Extensible Integration |
~1000 Security Actions
• Historical correlation of all
Indicators across incidents
• Auto-detection of indicators
and STIX import
• Import STIX and analyze indicators
cross incidents
• Comprehensive SLA
Tracking & Metrics
• Evidence Collection and Journaling
• Meets Regulatory Mandates
and Compliance
• Real-Time Collaboration
and Hand-Offs
• DBot ChatOps capability for
real-time interactive investigation
with experts and tools
• Auto Documentation for all
investigation actions
Case Management, Automation & Collaboration
Demisto Enterprise
Real-Time Interactive Investigation
Incident ManagementIntelligent Automation
Threat Management
*Learning DBot empowers Tier 1 through 3 analysts
Confidential © 2018 Demisto. All Rights Reserved.
Get Smarter with Each Incident
• DBot learns from analyst actions
and historical information
• Custom suggestions for incident
assignment
• Identify experts for each type of
incident
• Best products and commands
suggestions for resolving incidents
DBot: Force multiplier for your analysts
Confidential © 2018 Demisto. All Rights Reserved.
The Demisto Community
Build IR playbooks and automation scripts
• Over ~1000 automations to use for free and contribute back
• Based on the open COPSstandard
Share security playbooks, tools, and knowledge with peers
2,600 security experts and
growing from 53 time zones
Open source integrations
and automations
Open Playbook Standard
(COPS)
The Largest IR community
Confidential © 2018 Demisto. All Rights Reserved.
Integration DemoSee the power of Carbon Black & Demisto together
Confidential © 2018 Demisto. All Rights Reserved.
Q&ATaking live questions
Confidential © 2018 Demisto. All Rights Reserved.
Questions & Resources
• Follow-up email will be sent with webinar recording
• Resources
[Solution Brief]: Learn more about the Carbon Black and Demisto
integration
https://goo.gl/rwsDW7
[Carbon Black White Paper]: Building a High-Speed SOC
https://goo.gl/cqKvrU
[Gartner SOAR Report]: See how Demisto meets your Security
Orchestration, Automation, and Response needs
https://goo.gl/cHJa4X