Demisto’s interactive investigation features – a ChatOps-based War Room, an ML-powered chatbot, and a responsive command-line interface – form a potent toolkit for analysts to collaborate, run real-time security commands, and learn from each incident.
What is Security ChatOps?
ChatOps is a platform for conversation-driven investigation. When security analysts, security tools, chatbots, and incident response workflows exist in the same chat window and reinforce each other: that’s ChatOps in action. All these components feed each other in a virtuous cycle, enabling investigation, collaboration, and documentation from one source.
The Need for Interactive Investigation
Lack of skilled analysts
With a shortage of millions of analysts expected over the coming years, many SOCs are understaffed, leading to increased workload, stress, and rate of error among existing analysts.
Rising alert numbers
With an increased threat surface, a greater number of entry vectors for attackers, and an increase in specialized cyber security tools, the number of alerts is constantly on the rise.
Analysts use numerous tools to coordinate and execute their response to incidents. This involves lots of screen switching, fragmented information, and disjointed record keeping.
Siloed work environments
An implicit but dangerous problem that mid to large sized SOCs face is security analyst tunnel vision and extreme narrowing of skill-sets. There is rarely any cross-pollination of skills across analysts, preventing joint investigations and faster response times.
The Bus Factor
Since security analysts are at such a premium, a sudden personnel loss can leave SOCs in a state of disarray. Senior analysts take most of their expertise with them when they leave and little knowledge remains stored within the SOC.
With these challenges still present and growing, interactive investigation can be a force multiplier for SOCs, providing teams with a virtual shared space to conduct joint investigations, coordinate across security products in real-time, and document the results of their actions on the same platform.
Interactive Investigation with Demisto
Virtual War Room
When is the Right Time to Deploy Interactive Investigation?
There is a right and wrong time to introduce interactive investigation features for your security operations and incident response. If you roll out interactive investigation when the timing, resources, or need fitment aren’t right, you will not only fail to get benefits out of those features, but also potentially close the door for future implementation when the need is more explicit.