Demisto brings automation and orchestration to Palo Alto Networks

Get a free Techzine subscription!

Palo Alto Networks has recently completed several acquisitions, each worth millions, to build a broad portfolio for a variety of network and security tasks. The largest acquisition (560 million dollars), and therefore one of the most important, is that of Demisto. This party specializes in SOAR platforms and can offer security professionals a piece of orchestration and automation. To get some more insight into this, we talked to one of Demisto’s founders, Dan Sarel.

Demisto existed just under four years when Palo Alto Networks announced the acquisition to the world. The founders of Demisto initially saw a gap in the market by identifying some problems encountered by security professionals. They built a SOAR (Security Orchestration, Automation and Response) platform that responded to those problems, after which the startup grew into an interesting target for Palo Alto Networks.

Sarel says that at the moment, not every problem has been solved by a long shot. He sees that security operation centres (SOCs), the central point that coordinates the response to security incidents, are facing three major problems. For example, security products such as firewalls and antivirus packages are good at their job, but they don’t feed enough information back into SOCs to do something useful with it. The solutions speak their own ‘language’, which makes exchanging information and thus one consistent line of defence difficult. Secondly, Demisto sees that the management and coordination of security incidents at SOCs do not always go well and according to modern standards. Some SOCs would choose to use Excel sheets for management; Excel is, in principle, not intended for this purpose. Besides, the security professionals within the SOC do not talk much with each other. According to Sarel, this is a general human trait. Most employees just do their own thing without communicating a lot.

Choice of a SOAR platform

SOCs usually use SIEM solutions to create a central control unit. These solutions have been on the market for some time now, and they can address some of the problems that Demisto has identified. Think of collecting data from firewalls and Unified Endpoint Management (UEM) solutions to perform analyses on them and to make the defence line coherent. Ideally, however, SOCs use both a SIEM and a SOAR product. A SOAR platform, for example, makes it easier to respond to security incidents.

Because most SOAR platforms are somewhat newer, they are also available from the cloud. Demisto has therefore chosen to offer an on-premise version and a version that runs in the AWS cloud. The hosted version seems to be the most modern version, in most cases. SOCs do not have to worry about the right amount of compute resources and do not need to be busy maintaining on-premise equipment. It is possible to choose a cloud region so that they can run at less latency and possibly comply with local compliance guidelines.

Orchestration, automation, research and management

The primary task of the Demisto platform is security orchestration, i.e. collecting security alerts from as many sources as possible. For this purpose, Demisto has built integrations with different products to connect them to one another. According to Sarel, the platform is fit for this because of the hundreds of integrations, as well as its independent character. Integrations with Palo Alto Networks products are possible, but this is also possible with more than 350 of their competitors, e.g. Check Point and Fortinet. This orchestration also goes a bit further than just linking security products to Demisto. Integrations have also been built to control specific management tasks for Salesforce, Slack and Jira, for example. All relevant solutions are connected to each other, which means that an overview is created for the SOC employee, and they can respond to situations if necessary.

By bringing technologies together, certain processes can also be automated with workflows. This applies in particular in the case of somewhat simpler security alerts, which come in from the orchestrated solutions. Demisto offers a visual playbook editor for this purpose. Via a drag-and-drop interface, security professionals can adjust actions that have to take place within the various products. In this way, users receive instructions in advance on how the SOAR platform can automatically respond to the incident. With such an automated response, one can think of a system containing malware in quarantine. If the playbooks can’t manage things, the incident will still be passed on to the security professional. With the more complex alerts, this will still be the case, but the playbooks do have the intention of automating a lot of things. Such automation is only possible by integrating as many products as possible, and by building a lot of actions for the playbooks, something to which Demisto pays a lot of attention.

When a security alert is passed on to the security professional to investigate the incident, the SOAR platform wants to promote cooperation as much as possible during the investigation. Demisto uses the term ChatOps for this purpose. This term refers to bringing together security professionals, security tools, chatbots and the workflows in one chat window. In this way, the security professionals can coordinate who is doing what and access information about the incident, while a chatbot is activated to provide new insights.

Finally, incident management also plays a role. For example, the SOAR platform uses a searchable database to provide the user with detailed insights into incidents. Timelines also show how certain attacks are progressing, and users can request reports on those attacks.

Parent company further incorporates subsidiary

Recently, they chose to rebrand the Demisto platform, making the platform go through life as Cortex XSOAR. This step comes from Palo Alto Networks. Cortex is the brand name with which Palo Alto Networks focuses on incident detection and investigation, as well as automation and response. Apart from SOAR capabilities, this also includes a Detection and Response platform for threats at endpoints, in networks and in the cloud.

Although Demisto is now being incorporated more in-depth into the Palo Alto Networks portfolio; according to Sarel, it does not necessarily mean that every customer will actually use other Palo Alto Networks products. Several Demisto customers are now not even using Palo Alto Networks products at all. In the end, Demisto has grown because of its independent character, and you don’t have to change that. The aim remains to bring together as much threat intelligence as possible from all kinds of solutions.

However, this does not make the step of Palo Alto Networks incomprehensible. The parent company is currently paying a lot of attention to building a framework that uses different technologies. As many network and security solutions as possible should come together, from firewalls to SD-WAN, putting an end to the use of dozens to hundreds of products from different brands that don’t work well together. To a certain extent, Palo Alto Networks has the ambition to become the central point for corporate networks.

The match between Demisto and Palo Alto Networks is logical in this respect. Prior to the takeover, Palo Alto Networks did not yet have a good SOAR platform at its disposal. By renaming the Demisto solution Cortex XSOAR, SOCs can now also go to the security giant for a piece of orchestration and automation. In this way, Palo Alto Networks grows even more into a broad security supplier.