PODCAST: How freeing security analysts from repetitive tasks can turbo boost SOCs

By Byron V. Acohido

It wasn’t too long ago that security start-up Demisto was merely a notion bantered over at a coffee break. While working at McAfee, Slavik Markovich and Rishi Bhargava would sip espresso and discuss the challenges companies faced getting more effective protection from their Security Operation Centers, or SOCs.

Related article: How MSSPs can help small and mid-sized businesses

They took it a step further by polling security professionals. The feedback they got was consistent. The security pros reported that, despite having invested heavily in SOCs, their organizations continued to struggle making productive sense of endless signals from overlapping detection systems, even as the volume of cyber attacks continues to intensify. What’s more, the shortage of skilled security analysts available to try to make sense of it all continued to worsen.

I had the opportunity to meet with Bhargava at Demisto’s exhibit booth at RSA Conference 2018 last week in San Francisco. He relayed a fascinating story about how Demisto was formed to address this need, leaping from a coffee break notion to 60 employees with total VC backing of $26 million in two years. Launched in May 2016, Demisto is bringing a fresh approach to the Security Orchestration, Automation and Response (SOAR) platform space.

For a full drill down, please listen to the accompanying podcast of our discussion. A few takeaways:

Task tiers

Companies that have invested in SOCs still run into dead ends all too often. Existing security tools can flag alerts, but “somebody’s got to look at them. If you get an alert, somebody needs to have eyes on it,” Bhargava says, and it needs to be monitored across time zones. Hackers don’t wait for a specific time to strike.


“You do not have enough good analysts to look at those …. there’s fantastic education going on — a bunch of universities are trying to promote what they’re teaching their analysts — but still you’re not going to be able to catch up with the bad guys.”

Conversations with senior security executives made two things apparent: security analysts were stuck doing too many repetitive tasks, and there was much to be gained if SOC analysts could be freed up to spend more of their time on higher-end critical thinking tasks.

Bhargava and his fellow co-founders concluded that companies needed a more effective way to automate repetitive tasks required by overlapping security systems, along with a robust interface designed to enable analysts and researchers “to collaborate and chat in real time about those security incidents when the incident is happening.”

Compiling playbooks

Demisto’s technology leverages automation to extract useful intelligence from more than 160 security products, including firewalls, SIEMs, endpoint protection and threat hunting systems. This intel then becomes source material for “playbooks” that pose a series of questions designed to triage security alerts much more efficiently and effectively.

“This is something that exists in every aspect of life,” Bhargava says. “You have a certain set of steps which you need to follow when you get into a certain situation.”

For example, if an IT staffer gets an alert that an executive’s laptop is lost, certain steps are followed: disable the account; remotely wipe the data; file a police report, etc. “There’s a playbook … a series of steps that you’d do in a scenario,” Bhargava says. “It’s a visual flow chart … we let you automate, because each of these could be tied to a product. We can let you automate each of the steps in the playbook.”

By channeling repetitive tasks to machines, human analysts get freed up to use their training, experience and intuition to greater effect. Demisto has gotten traction with this approach inside 12 of the Fortune 500, as well as more than 50 other companies, and has helped SOC teams in those organizations reduce the number of alerts requiring human review by as much as 95 percent.

SOAR platforms first began arriving in the cybersecurity market some three years ago. Demisto’s technology, and others like it, represents an important advance; they enable security operations teams to automate and prioritize security operational activities that can range from meeting compliance requirements to detecting and deterring malicious parties already lurking deep inside company networks.

(Editor’s note: Last Watchdog has supplied consulting services to Demisto.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone