Symantec and Demisto: Responding at Scale with the Right Information at the Right Time

Our aim is to give analysts investigating a suspicious event as much context as possible in the same workspace. Unless absolutely needed, analysts do not want to shift from one console to another in the midst of investigation—that leads to a fragmented process. Instead, Demisto pulls in information from a variety of sources, integrating them into a multi-faceted analysis of a single incident. Our product also integrates with a range of enforcement and response tools, enabling analysts to maximize the utility of their security tools from a central location.

Coordinating ingestion, enrichment, investigation, and response across hundreds of products and sources, Demisto’s security orchestration, automation, and response (SOAR) platform helps security teams reduce their mean time to respond (MTTR), a critical metric that companies need to decrease to improve their security posture.

Demisto integrates with multiple Symantec products including Symantec Endpoint Protection (SEP), Advanced Threat Protection, Messaging Gateway, and Managed Security Services to centralize visibility and serve security teams across the incident lifecycle. These integrations enable teams to harmonize endpoint protection, threat protection, and incident monitoring actions through automatable Demisto playbooks. Demisto’s orchestration can also further enrich Symantec’s data with intelligence from over 200 other security products.

Demisto joined Symantec’s Technology Integration Partner Program (TIPP) in 2017 and through TIPP and together with Symantec, we are able to serve our customers better.  As Peter Doggart, Symantec’s VP of Business Development explains about TIPP, “While many partner programs exist today, we have decided to focus on the technical integration aspect of partnership. This is the single most important aspect of making a difference in security. By working to integrate our Cyber Defense Platform with Demisto, our customers can take full advantage of automation workflows and increase productivity in their SOC.” 

Our strong and long-standing integrations with Symantec have led to multiple enterprise deployments and helped customers automate attack investigation and response.  One telecom customer utilizes Demisto’s integration with Symantec Endpoint Protection (SEP) for malware enrichment and response. When correlated alerts come from a security information and event management (SIEM) system, Demisto combines the alert information with context from SEP. This alert triggers a playbook that queries multiple threat intelligence tools to get IOC reputation. The playbook then gathers endpoint details and runs both behavioral analytics using a customer-owned security tool and Demisto’s dissolvable agent on infected endpoints. These actions help extract a wealth of data from the endpoint—such as file details and memory dumps—and integrate the information into Demisto for the security team’s perusal. 

Leave a Reply