As a writer, I find the use of passive voice suspicious. (Except when I employ it. Then it’s okay…) Passive voice is notorious for concealing someone’s actions or inactions. Check out an awkward political press conference and wait for a nervous spokesperson to admit, “Mistakes were made.” Yes, by whom? Usually they won’t say.
So it goes with security policy, where you may read statements like, “All incidents, including security breaches and irregularities must be reported and recorded. Corrective action should be taken and followed up through regular verifications to improve the overall security standard.” Again, you might ask, “By whom?”
Taking corrective actions, following through, verifying improvements and reporting of security incidents are standard policies. These tasks should be a clear assignment to a SecOps team. Doing the work, however, can be overwhelming. Alerts and incidents easily outrun the team’s work cycles. This is the problem Demisto solves. Demisto offers a Security Automation, Orchestration and Response (SOAR) solution that makes it possible to turn the passive “Corrective action should be taken” to the active, clear, “Take corrective action.”
I spoke with Rishi Bhargava, Demisto’s head of marketing, at RSA 2018. As he explained, Demisto is also addressing a problem of executive notification with its platform. “How many dashboards does the CISO log into?” he asked. “Not too many, in our experience. That’s not a criticism. The CISO is busy. He or she needs succinct notifications by email or text that highlight the relevant activities at any given time. That’s the Demisto approach.”
Bhargava also told me about Demisto’s new solution for managed security service providers (MSSPs). It enables the MSSP to leverage the Demisto platform to streamline and improve their own security response processes. “We have found we can help them with service level agreements,” Bhargava added.
The natively multi-tenant solution allows a master tenant admin to grant role-based visibility to tenants, quickly onboard new customers and scale as needed. Each customer environment is completely isolated for security and privacy reasons. A customer instance has its own separate database. Individual customers can be given full access to their environments in order to perform joint investigations with the MSSP. This capability reduces incident resolution time and effort. It also provides a welcome solution for challenging “two tier” security policies in the cloud.