Symantec and Demisto: Responding at Scale with the Right Information at the Right Time

Security systems are very good at collecting data about potential threats and security events. Yet, all systems are prone to inundating analysts with false positives—in some cases, making it more difficult, not easier, to detect the true threats. Just as often, alerts leave analysts will little guidance on the appropriate next steps for response.

Research has found that security teams review over 12,000 alerts per week on average, leading to alert fatigue. Analysts have put the blame on both the technology and a relatively lack of expertise, with 46 percent of workers feeling that their security tools generated too many alerts and 79 percent of analysts blaming a lack of experience or head count. A direct outcome of rising alert volumes is that the mean time to respond (MTTR) remains high, with incidents requiring an average of 4.35 days to resolve.

This leaves analysts with two basic problems:

1. Separating out the right information from the large volumes of security data at your disposal, and
2. Determining the proper steps for standardized response instead of leaving incidents in SOC purgatory.

In our quest to bring more context to security events and more speed to security response, Demisto has integrated Symantec’s deep security intelligence into our automation and orchestration product, allowing single analysts and cross-functional teams to improve investigation quality and accelerate response across their security tool stack.

Our aim is to give analysts investigating a suspicious event as much context as possible in the same workspace. Unless absolutely needed, analysts do not want to shift from one console to another in the midst of investigation—that leads to a fragmented process. Instead, Demisto pulls in information from a variety of sources, integrating them into a multi-faceted analysis of a single incident. Our product also integrates with a range of enforcement and response tools, enabling analysts to maximize the utility of their security tools from a central location.

Coordinating ingestion, enrichment, investigation, and response across hundreds of products and sources, Demisto’s security orchestration, automation, and response (SOAR) platform helps security teams reduce their mean time to respond (MTTR), a critical metric that companies need to decrease to improve their security posture.

Demisto integrates with multiple Symantec products including Symantec Endpoint Protection (SEP), Advanced Threat Protection, Messaging Gateway, and Managed Security Services to centralize visibility and serve security teams across the incident lifecycle. These integrations enable teams to harmonize endpoint protection, threat protection, and incident monitoring actions through automatable Demisto playbooks. Demisto’s orchestration can also further enrich Symantec’s data with intelligence from over 200 other security products.

Demisto joined Symantec’s Technology Integration Partner Program (TIPP) in 2017 and through TIPP and together with Symantec, we are able to serve our customers better.  As Peter Doggart, Symantec's VP of Business Development explains about TIPP, "While many partner programs exist today, we have decided to focus on the technical integration aspect of partnership. This is the single most important aspect of making a difference in security. By working to integrate our Cyber Defense Platform with Demisto, our customers can take full advantage of automation workflows and increase productivity in their SOC." 

Our strong and long-standing integrations with Symantec have led to multiple enterprise deployments and helped customers automate attack investigation and response.  One telecom customer utilizes Demisto’s integration with Symantec Endpoint Protection (SEP) for malware enrichment and response. When correlated alerts come from a security information and event management (SIEM) system, Demisto combines the alert information with context from SEP. This alert triggers a playbook that queries multiple threat intelligence tools to get IOC reputation. The playbook then gathers endpoint details and runs both behavioral analytics using a customer-owned security tool and Demisto’s dissolvable agent on infected endpoints. These actions help extract a wealth of data from the endpoint—such as file details and memory dumps—and integrate the information into Demisto for the security team’s perusal. 

Demisto’s platform also provides closer collaboration for deeper investigations. In the previous use case, the telecom customer utilizes Demisto’s War Room to view playbook task results, collaborate on plans of action, and run follow-up security commands in real-time.

The need for inter-product connectivity in security is apparent today. The granularity and openness of Symantec’s APIs have made our integrations easy to set up and refine with time. In fact, Symantec’s APIs coupled with Demisto’s Build Your Own Integration (BYOI) capabilities have empowered customers to build their own Symantec integrations within the Demisto platform. A healthcare customer created their own Demisto integration with Symantec DeepSight Intelligence and are leveraging threat data within their playbooks for incident enrichment. 

With cyber security workers still in short supply, security teams will be understaffed for the foreseeable future. If analysts spend time manually reconciling data across sources and performing repetitive actions, dangerous threats are bound to slip through the cracks. Organizations need a tool stack that aggregates security data and drives that data to response in a standardized and scalable manner.

Symantec and Demisto users can use our integrations to gather relevant intelligence and enforce response actions in an automated fashion. Executing high-quantity and day-to-day processes at machine speed gives teams more time to take the decisions that really matter. With alert numbers not showing any signs of dropping, improving response speed is the best answer we have.