Home Podcasts Videos Guest Posts Q&A My Take Bio Contact

PODCAST: How freeing security analysts from repetitive tasks can turbo boost SOCs

By Byron V. Acohido

It wasn’t too long ago that security start-up Demisto was merely a notion bantered over at a coffee break. While working at McAfee, Slavik Markovich and Rishi Bhargava would sip espresso and discuss the challenges companies faced getting more effective protection from their Security Operation Centers, or SOCs.

Related article: How MSSPs can help small and mid-sized businesses

They took it a step further by polling security professionals. The feedback they got was consistent. The security pros reported that, despite having invested heavily in SOCs, their organizations continued to struggle making productive sense of endless signals from overlapping detection systems, even as the volume of cyber attacks continues to intensify. What’s more, the shortage of skilled security analysts available to try to make sense of it all continued to worsen.

I had the opportunity to meet with Bhargava at Demisto’s exhibit booth at RSA Conference 2018 last week in San Francisco. He relayed a fascinating story about how Demisto was formed to address this need, leaping from a coffee break notion to 60 employees with total VC backing of $26 million in two years. Launched in May 2016, Demisto is bringing a fresh approach to the Security Orchestration, Automation and Response (SOAR) platform space.

For a full drill down, please listen to the accompanying podcast of our discussion. A few takeaways:

Task tiers

Companies that have invested in SOCs still run into dead ends all too often. Existing security tools can flag alerts, but “somebody’s got to look at them. If you get an alert, somebody needs to have eyes on it,” Bhargava says, and it needs to be monitored across time zones. Hackers don’t wait for a specific time to strike.


“You do not have enough good analysts to look at those …. there’s fantastic education going on — a bunch of universities are trying to promote what they’re teaching their analysts — but still you’re not going to be able to catch up with the bad guys.”

Conversations with senior security executives made two things apparent: security analysts were stuck doing too many repetitive tasks, and there was much to be gained if SOC analysts could be freed up to spend more of their time on higher-end critical thinking tasks.

Bhargava and his fellow co-founders concluded that companies needed a more effective way to automate repetitive tasks required by overlapping security systems, along with a robust interface designed to enable analysts and researchers “to collaborate and chat in real time about those security incidents when the incident is happening.”

Compiling playbooks

Demisto’s technology leverages automation to extract useful intelligence from more than 160 security products, including firewalls, SIEMs, endpoint protection and threat hunting systems. This intel then becomes source material for “playbooks” that pose a series of questions designed to triage security alerts much more efficiently and effectively.

“This is something that exists in every aspect of life,” Bhargava says. “You have a certain set of steps which you need to follow when you get into a certain situation.”

For example, if an IT staffer gets an alert that an executive’s laptop is lost, certain steps are followed: disable the account; remotely wipe the data; file a police report, etc. “There’s a playbook … a series of steps that you’d do in a scenario,” Bhargava says. “It’s a visual flow chart … we let you automate, because each of these could be tied to a product. We can let you automate each of the steps in the playbook.”

By channeling repetitive tasks to machines, human analysts get freed up to use their training, experience and intuition to greater effect. Demisto has gotten traction with this approach inside 12 of the Fortune 500, as well as more than 50 other companies, and has helped SOC teams in those organizations reduce the number of alerts requiring human review by as much as 95 percent.

SOAR platforms first began arriving in the cybersecurity market some three years ago. Demisto’s technology, and others like it, represents an important advance; they enable security operations teams to automate and prioritize security operational activities that can range from meeting compliance requirements to detecting and deterring malicious parties already lurking deep inside company networks.

(Editor’s note: Last Watchdog has supplied consulting services to Demisto.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

MY TAKE: Oracle aims to topple Amazon in cloud services — by going database-deep with security

By Byron V. Acohido

Ahoy, Jeff Bezos and Amazon. Watch out! Larry Ellison and Oracle are coming after you.

The ever feisty Ellison, 73, founder of Oracle and an America’s Cup sailing champion, recently tacted the good ship Oracle onto a new course. Last October, Ellison announced the launch of a pioneering set of automated cloud services, and boasted that these new tools will help Oracle overtake Amazon as a leading cloud services provider.

Related article: Companies need a compliance strategy

Notably, a linchpin to Oracle’s new cloud strategy is cybersecurity. Specifically, the company has come up with technology the directs machine learning anomaly detection capabilities much deeper than any other security vendor has gone heretofore – into the database layer of company networks.

I recently …more

GUEST ESSAY: Rising workplace surveillance is here to stay; here’s how it can be done responsibly

By Elizabeth Rogers

People often recite the cynical phrase that ‘privacy is dead.’  I enthusiastically disagree and believe, instead, that anonymity is dead.

One area where this is being increasingly demonstrated is in the workplace. Employee surveillance has been rising steadily in the digital age. And because it’s difficult, if not impossible, to keep ones digital work life separate from ones digital private life, the potential for abuse to happen while carrying out an employee surveillance program is real.

Related video: SXSW panel hashes over employee monitoring

However, I firmly believe that, together, we can preserve the employee privacy through clearly stated social ‘contracts’ and fair enforcement of same.

Let’s begin with the notion that employees, unless advised otherwise, have a right to privacy in the workplace. However, the scales also tip in favor of the employer to monitor threats to  the company’s intellectual property.

Unique ties

Employers and employees share a unique relationship built on trust.  When it comes to assets of the company, it is in the mutual interest of both that they stay protected.  Generally, employees will sign a contract, in the form of a Non-disclosure Agreement that yields to the …more

Q&A: How to prepare for Spectre, Meltdown exploits — and next-gen ‘microcode’ attacks

By Byron V. Acohido

If you think the cyber threat landscape today is nasty, just wait until the battle front drops to the processor chip level.

Related artilce: A primer on microcode vulnerabilities

It’s coming, just around the corner. The disclosure in early January of Spectre and Meltdown, critical vulnerabilities that exist in just about all modern computer processing chips, introduced virgin territory for well-funded, highly motivated criminal hackers. And this is where the front lines will inevitably shift — to a much deeper level of the digital systems we take for granted.

Spectre and Meltdown are the first examples of a new class of flaws so deep and so profound that they really can’t be fixed until the next generation of chips gets here. That suggests that well-financed, highly motivated criminal hacking rings have years, if not a decade or more, ahead of them to take full advantage.

We are in this predicament because the chipmakers, led by Intel, AMD and ARM, aided and abetted by the operating system suppliers, Microsoft, Apple and Linux, made a decision in 1995 to toss security in the back seat as they embarked, hell bent, on a race to build and leverage faster and faster Central Processing Units, or CPUs.

The chipmakers came up with a technique, called “speculative execution,” essentially taking shortcuts at the chip level, slightly delaying verification checks to buy more clock speed. Meltdown and Spectre represent two approaches hackers can now take to manipulate speculative execution at the chip level and thereby gain access to any sensitive data residing a level above — in the operating system memory. …more

PODCAST: Why companies need a strategy to manage compliance, now more than ever

By Byron V. Acohido

Businesses are embracing the public cloud at an accelerated pace — and for good reason. By tapping hosted services,  companies of all sizes and in all verticals are finding fresh, dynamic ways to engage with employees, suppliers, partners and customers.

Related articles: 5 things to do to prep for GDPR

However, as companies race to mix and match cloud-delivered storage, processing power and business apps from the likes of Amazon Web Services, Microsoft Azure and Google Cloud, unforeseen gaps in traditional perimeter network defenses are turning up. Smitten by the benefits of cloud computing, many companies have not bothered to fully address the “shared responsibility” model for security underlying the public cloud.

By the same token, ever-opportunistic cyber criminals have already begun pouncing on these emerging exposures. Emergent cloud computing vulnerabilities have gotten a lot of attention by the cybersecurity community, as well they should.

Much less well understand, and, yet, quite possibly a much more clear and present risk for many thousands of companies is the risk of non-compliance. It turns out that in rush to move to the cloud, companies have created many more opportunities for violating the matrix of industry standards and government regulations that touch on data handling and data privacy. …more

MY TAKE: A breakdown of why Spectre, Meltdown signal a coming wave of ‘microcode’ attacks

By Byron V. Acohido

Hundreds of cybersecurity vendors are making final preparations to put their best foot forward at the RSA Conference at San Francisco’s sprawling Moscone Center next week. This will be my 15th RSA, and I can say that there is a distinctively dark undertone simmering under this year’s event. It has to do with a somewhat under-the-radar disclosure in early January about a tier of foundational security holes no one saw coming.

Related article: Meltdown, Spectre foreshadow another year of nastier attacks

Spectre and Meltdown drew a fair amount of mainstream news coverage. But I fear their true significance hasn’t resonated. We now know that there will be no quick way to fix this pair of milestone vulnerabilities that lurk in the architecture of just about every modern processor chip.

As I get ready to head to RSA, it struck me that none of the legacy security systems being hyped at the glitzy exhibition booths I’ll see at RSA seem able to solve this problem or mitigate the risks.


“Spectre and Meltdown will be the enormous elephants in the room at RSA”, said Atiq Raza, CEO of security firm Virsec. “The chip and OS vendors have failed with multiple patches and are asking for patience. Meanwhile, few security vendors understand or monitor what happens between applications and processors. This is leaving most customers worried and scratching their heads.”

Chip/kernel 101

To understand how profoundly Spectre and Meltdown have changed the cybersecurity landscape requires a bit of technical context. Processor chips are formally referred to as the Central Processing Unit, or CPU. These are the semiconductor chips manufactured by Intel, AMD, ARM and a few others.

CPUs give life to any computing device you can name. CPUs interact with the operating system, or OS, such as Windows, Macintosh, iOS and Linux. The OS, in turn, enables applications such web browsers, smartphones, business apps, web apps, games, video — and the digital infrastructure behind them — to run.

Around 1995, CPUs started getting dramatically faster and have been getting incrementally faster ever since. This happened both because of improvements in the hardware and clever ways engineers found to make processes more efficient. Every OS has a core piece of software, called the kernel, that manages and directs how each application can tap into the CPU. Keep in mind, …more

GUEST ESSAY: How Orbitz’s poor execution of a systems upgrade left data exposed

By Natalie Williams

In case you thought it had been a suspiciously long time since a massive data breach was announced, well, here you go. Just a couple of days ago, Orbitz (part of the massive travel conglomerate Expedia) revealed that during the second part of last year, the personal data of many of their users was breached.

And by “many,” I mean somewhere in the neighborhood of 880,000. And while Orbitz promises that no Social Security Numbers were compromised, a lot of other data was: names, dates-of-birth, even email and street addresses. And, of course, credit card  information. Let’s not forget that.

Related podcast: Why 2018 will be the year of the CISO

Importantly, this was not a phishing attack. It was a system hack, and although the exact method is unknown, the hackers did target an older Orbitz platform (not Orbitz.com), as well as a partner sites (separate occasions), and were able to access records still embedded in it.

 And unlike with Equifax, this also doesn’t appear to be a situation in which administrators followed blatantly terrible password security practices. These data loss situations are always somewhat harder to assess, since they can’t be directly traced back to a clear and specific bad decision. They’re also harder to pass judgement on or attempt to provide solutions for, for the same reason. And yet, anytime this much data is exposed, there’s a serious issue. Something wasn’t adequately protected—someone wasn’t doing what they were …more