Challenge: Lack of Incident Management Process
One of the common challenge that security operations team face is the lack of well documented and consistent incident response process. Even when the teams have a process, it is not usually followed or measured for each incident. This results in security operations teams not able to streamline the incident response process and improve MTTR over time.
Reduce MTTR with Automation
A large part of every incident investigation is collecting the reputation of different artifacts, query data sources for more information about user, system, IP, URL and other artifacts. All these tasks can be automated with playbooks saving analysts considerable amount of time and reducing the time to respond. In addition playbooks can be used to search for duplicate incidents and saving time further.
Incident Management Process Playbooks
Demisto playbooks enable capturing the entire incident management lifecycle including the legal, HR and other procedural steps in a well-structured document. These playbooks can be followed by each analyst during an incident and hence create a complete trail of the incident management escalation path and process. The tasks in playbooks could be assigned to individual analysts with deadlines and hence enabling full tracking of the state of incident.
Evidence Collection and Journaling
Demisto Enterprise allows analysts to track artifacts and mark key artifacts as evidence. All evidence is fingerprinted to assure tamper proofing. As analysts continue to investigate and mark different artifacts as evidence, the evidence board starts to unveil the incident storyline.
Incident Metrics and Reporting
Demisto tracks numerous metrics including incident open rate, close rate, open time, mean time to respond, analyst load, analyst respond time and many more. These metrics are available through built-in reports and dashboards out of the box. In addition, customers can create their own custom reports from the raw data collected based on their own requirements.