Challenge: Lack of Incident Management Process

One of the common challenge that security operations team face is the lack of well documented and consistent incident response process. Even when the teams have a process, it is not usually followed or measured for each incident. This results in security operations teams not able to streamline the incident response process and improve MTTR over time.

Reduce MTTR with Automation

A large part of every incident investigation is collecting the reputation of different artifacts, query data sources for more information about user, system, IP, URL and other artifacts. All these tasks can be automated with playbooks saving analyst considerable amount of time and reducing the time to respond. In addition playbooks can be used to search for duplicate incidents and saving time further.

Workplan results
workplan task

Incident Management Process Playbooks

Demisto playbooks enable capturing the entire incident management lifecycle including the legal, HR and other procedural steps in a well-structured document. These playbooks can be followed by each analyst during an incident and hence create a complete trail of the incident management escalation path and process. The tasks in playbooks could be assigned to individual analysts with deadlines and hence enabling full tracking of the state of incident.

Evidence Collection and Journaling

Demisto Enterprise allows analyst to track artifacts and mark key artifacts as evidence. Allt he evidence is fingerprinted to assure tamper proofing. As analyst continue to investigate and mark different pieces of evidence, the evidence board shows the complete storyline of how the incident occurred and support facts.

Demisto dashboard

Incident Metrics and Reporting

Demisto tracks numerous metrics including incident open rate, close rate, open time, mean time to respond, analyst load, analyst respond time and many more. These metrics are available through built-in reports and dashboards out of the box. In addition, customers can create their own custom reports from the raw data collected based on their own requirements.