Security Orchestration, Automation and Response or SOAR is getting some traction in the marketplace.
Gartner Research recently released a report saying security teams larger than five people will be leveraging SOAR tools for orchestration and automation more. Currently these teams use SOAR less than one per cent today but by 2020 that will rise to 15 per cent. As the security skills shortage persists, alert numbers and attack vectors grow, and product proliferation continues, more organizations will consider SOAR solutions to unlock the full potential of both their analysts and security product suites.
Demisto, a silicon-valley-based SOAR vendor, is trying to solve the problem people have created with security alerts and tools.
Bob Kruse, the vice president of worldwide sales for Demisto, told EChannelNews there simply is not enough people to look at them, begin to understand them, or even run the tools themselves.
“There is a conga line of security products in the operations centre and none of them talk to each other. That means there are an incredible amount of manual processes and human error and this creates a horrible working environment,” Kruse said.
Orchestration essentially knits all those solutions together and makes them work as one. Without security automation and orchestration, operation centres are vulnerable to all kinds of attacks, but Kruse points out the simple one: workers showing up late or not at all. Currently these centres rely on manual or human operation and are prone to errors.
“Demisto has seen a lot of organic growth but the big compelling event is that there is not enough people for all the new solutions and alerts. We have a negative employment rate in this industry. The time is now. There are two lines on a graph that have intersected. Too many alerts and not enough people relatively to the need and that is where Demisto lives; right at those two intersected lines,” he said.
Demisto has a 100 per cent channel friendly strategy and they aim to work with Managed Security Services Providers (MSSP). Kruse said the company has a tier one strategy in North America and two-tier plan in Latin America, Western Europe and EMEA. The positioning of Demisto with channel partner is that everything that is on a solution provider’s line card can be automated and orchestrated.
Kruse added that channel partners can go to its install base and monetize further with Demisto.
“We even create budget for partners because we remove the complexity and the end user can digest these solutions like they were any other end-point.”
Late last year Demisto released version 3.1 for enterprise and community users. One of the big features from this new release is a personalized War Room for incident and indicator management. The personalized War Room has pre-defined filters and a customizable filter editor that enables users to create bespoke views for specific incidents. Users can add notes and evidence entries directly, which can reduce incident response by seconds. There is also a new Tasks Pane that shows the analyst the next set of tasks to complete in the incident. Entries in HTML format can also be added.