Blog Post

Awake and Demisto Power Automated Network Detection and Response

DemistoSecurity teams consider detection and response critical components of an organization’s cybersecurity posture. The next generation of attacker tactics, techniques and procedures (TTPs) take advantage of legitimate tools that already exist within the environment, “living off the land” and leaving security teams scrambling to eliminate potential threats that blend in with business-justified activity. Traditional security tools just aren’t equipped to keep up with these changing TTPs. The realm of network detection and response struggles the most from the thin line between malicious intent and benign behavior. Awake Security recognizes these challenges and addresses them head on. By partnering with Demisto, Awake enables customers to speed up the remediation process with incident response playbooks triggered by Awake detections. Just as importantly, Awake generated investigative context is accessible from Demisto playbooks that respond to any alert.

Awake helps security teams detect today’s threats by using artificial intelligence (AI) and machine learning to detect specific attacker TTPs. By automating much of the “skills”, data-gathering, and manual correlation typically done by an analyst, Awake helps security teams gain unprecedented network visibility. The Awake Security Platform enables them to understand what’s normal for their unique organization, flag anomalies that could indicate a threat, and stop attackers that exploit otherwise benign tools and infrastructure.

But identifying threats is only the beginning. Security teams also need a way to standardize, automate, and coordinate response across their security teams and product stack. Demisto, the Security Orchestration, Automation, and Response (SOAR) platform, streamlines this process. By leveraging Demisto Enterprise’s integrations with hundreds of security products, security teams can build different playbooks that incorporate a combination of automated tasks and manual best practices to standardize and scale incident response, reduce MTTR (Mean Time to Respond) for security incidents, and free up time for security teams to conduct deeper investigations.

By combining Awake’s network detection and response capabilities with Demisto Enterprise, security teams get deeper, real-time network intelligence and can accelerate incident response with actionable steps across security deployments.

Awake and Demisto: Better Together

Using the combined Awake Security Platform and Demisto Enterprise, security teams are empowered in several different ways. Just a couple of these use cases are highlighted below:

Rapid Detection and Response to Mal-Intent from Inside and Outside Actors

Security teams can look for mal-intent that blends in with business-justified activity, a process that only the most sophisticated threat hunters can accomplish with traditional security solutions. Awake autonomously detects mal-intent using a combination of AI-based behavioral analytics as well as through detection rules that identify known attacker TTPs. Threat behaviors triggered using Awake’s DetectIQ™ will automatically create incidents within Demisto, which in turn triggers instant response and remediation actions using Demisto’s orchestration playbooks and its broader set of system integrations within the enterprise.

The detection of non-malware activity by Awake and the rapid response through Demisto playbooks ensures security teams quickly and consistently identify and eliminate threats from malicious insiders and outside attackers that have breached the perimeter. The rapid remediation ultimately lowers the impact to the organization.

Automated Context and Data Enrichment

The fragmented information across multiple screens of differing security intelligence and incident response tools make it difficult for SOC teams to track the lifecycle of an incident, usually bogging down analysts with important, but error-prone, repetitive actions that they need to perform.

Security teams using Awake for network detection and response and Demisto Enterprise for security orchestration and incident response can automate threat enrichment through Demisto playbooks. These playbooks harness Awake’s EntityIQ™ data for rich context and risk profiles of devices, users, and domains, and use that information to execute actions across the entire stack of products within the security infrastructure. The combination of Demisto playbooks with Awake Security automates repeatable tasks, which gives analysts valuable time back in their day for deeper investigation and strategic action. For instance, when investigating spearphishing, an incident responder often needs to determine all devices associated with a particular email address and then perhaps quarantine those devices. Awake easily correlates information like email addresses with devices and Demisto’s broad integrations allow for isolating those devices.

Current solutions might miss file-less malware that abuse benign tools and infrastructure because it blends in with business-justified applications not perceived as threats. Awake’s Security Platform flags the threat to security teams, who can then use that information to trigger a response playbook in Demisto and thus minimize the impact of these modern attacks.

For more information about our integration with Demisto, get in touch with the team at [email protected]. You can also find a full list of our technology alliance partners at https://awakesecurity.com/partners/.

Download Solution Brief

Gabriel Gonzalez
Gabriel Gonzalez

Software Engineer