Security Orchestration, Automation and Response (SOAR) firm Demisto has raised $43 million in a Series C funding round led by Greylock partners. It brings the total raised by the Cupertino, California-based firm to date to $69 million, following a Series B round ($20 million) in February 2017.
The purpose of the new funding is to continue development of the SOAR product, and to help the firm expand into the EMEA and APAC markets. Sarah Guo, a general partner at Greylock, joins the Demisto board.
Demisto was founded in 2015 by Dan Sarel, Guy Rinat, Rishi Bhargava, and Slavik Markovich. They had decided that the market needed, not so much a new security control product, but a new product able to maximize use of existing products. “We asked a bunch of security executives and analysts, ‘What is your biggest problem today?” Bhargava told SecurityWeek. “All of them replied that the problem is operational — they simply do not have the staff to handle the volume of alerts generated by existing products. This is the problem we decided to solve through automation and orchestration.”
SOAR is a relatively new product category — but its value is already recognized. At the end of 2017, Gartner published a report suggesting that the share of organizations with security teams larger than five people that will leverage SOAR tools for orchestration and automation will rise from less than 1% today to 15% in 2020. A few months later, in May 2018, Gartner listed Demisto as one of its ‘cool’ vendors for 2018.
“It is clear,” continued Bhargava, “that security teams are focused on deploying the next best technology product — whether that’s at the perimeter, or in the cloud, or on the endpoint. But few security teams focus on the operational side of security.” With an increasing number of attacks, a growing number of products, and an increasing volume of alerts, analyst teams are simply overwhelmed be their workload. The result, he suggested, is that for many firms the operational side of security is in disarray.
“We decided that first of all we needed to develop a robust automation and orchestration platform that can enable workflows (whether manual or automated or a combination) to automate the analyst’s response; and that the platform needs to integrate with hundreds of security products. We currently integrate with around 220 different security products. Secondly, we needed a component that would provide a very strong ticketing, or case management, system, designed to manage the workload of the security teams. This would include clear escalation and assignment processes — and would need to tie in with the response workflow. Thirdly, we wanted a collaboration workbench able to give analysts the ability to work with their peers; because most security teams in large organizations are distributed across different locations.”
The key to the Demisto platform is the playbooks. These automate a consistent method, or progression of steps, needed to handle the different types of alert generated by the security control products. “The playbooks are not built around specific threats or exploits, but on the methods of exploitation,” explained Bhargava. “So, if you get a new type of threat — say ransomware — you need to check the malware playbook to see if it handles the new threat. If the answer is no, then you need to tweak the playbook.”
Tweaking can be done in-house or remotely via Demisto. “If a customer improves a playbook, it gets shared to the rest of the Demisto community of customer analysts. The playbook is defined as content and kept separate from the product. If the product gets updated by Demisto, the playbooks remain unchanged.”
What this means is that the alert handling process is not merely automated, it is continually improved — and perhaps most pertinently, that expertise doesn’t walk out the door when the analyst moves on to a different company (which is currently about every two years).
“SOAR products,” suggests Roland Cloutier, Global CSO at ADP. “occupy a unique place in the security, risk, and privacy landscape because they weave an actionable and operational thread across the incident management, security, and even business process workflows. Business Protection and Assurance Data without action is incomplete, and SOAR tools fill that gap by ingesting aggregated alerts and instantiating workflows that automate security and business actions across the product stack. This frees up analyst time, investigative time, reporting time, and helps security, risk, and privacy teams leverage their existing business protection and management technology investments, ensuring their business is more prepared.”
In measurable terms, Bhargava pointed to one customer (ESRI) that used the SOAR platform and reduced the alerts needing human intervention from a high of 100,000 per week, to roughly just 500 per week.
Related: The Evolution of SOAR Platforms
Related: There’s More to SOAR