Demisto Cybersecurity Q&A: AI, Trends for 2018 and the Channel

Cybersecurity is one of the fastest-growing segments of the technology marketplace, and increasingly, channel partners have options to participate thanks to ramped-up channel programs and ever-better vendor support.

We sat down with Rishi Bhargava, Demisto co-founder, to discuss how the threat landscape is evolving. He discusses the role of automation and artificial intelligence, and how channel partners can benefit.

Demisto solutions enable users to orchestrate and automate security workflows (as well as enrich incidents with network and security analytics), to reduce organizational risk, accelerate incident response and improve overall security posture.

ChannelVision: What are the top challenges that companies will face in 2018 when it comes to the evolving threat landscape?

Rishi Bhargava: The General Data Protection Regulation (GDPR) that becomes effective in May 2018 is going to have a major impact on incident response. The GDPR’s 72-hour window to report breaches means that organizations must have complete visibility across all elements, including SaaS, cloud and enterprise infrastructures, mobile and all endpoints. The qualification and response procedures for alerts will also need to be optimized.

Also, security operations center (SOC) managers will need to start focusing on the ROI of their security orchestration platforms. With stringent regulations, a lack of skilled analysts, the need for consistent processes and growing alert numbers, the need for security orchestration has never been more apparent. In this scenario, focusing on quantifiable benefits and returns on product investment will help onboard senior leadership and greenlight further investments in this space.

Clarifying the role of machine learning in incident response will also be a challenge for SOC managers. Myths still abound regarding machine learning’s role in a SOC, with many people thinking that it will allow incident response to be run on autopilot and potentially render analysts redundant. Consistent internal communications, robust pilot projects and scalability of machine learning-focused features will be needed to leverage its full benefits and increase analyst productivity and satisfaction.

And finally, I believe that multiple product functions will start merging into Security Orchestration, Automation and Response (SOAR). With threat intelligence, incident management and security orchestration all converging into one-console solutions, companies will need to decide how to reallocate their resources to best utilize their security product portfolio for threat response.

CV: How does this translate into opportunity for channel partners?

RB: Channel partners can expand their product and service portfolio to help companies alleviate these challenges. For example, they can offer GDPR compliance-training services, and offer products that best bridge the gap between SOAR and other product categories.

Channel partners can also shoulder the responsibility of educating prospects and customers about these challenges and the best ways to deal with them. Informational collateral about the merits of machine learning, GDPR best practices, ROI templates and worksheets, and SOAR industry trends will aid customers in the decision-making process and create a longer-lasting relationship with channel partners due to the unique value delivered.

CV: How are AI and automation helping the good guys?

RB: AI and automation are helping SOCs in the following ways:

  • Workflows across people, processes and technologies have resulted in consistent response procedures to alerts. This helps analysts perform at a common best-practice level and acts as a good training tool for junior analysts.
  • Automated playbooks/workflows have reduced the number of redundant, repeatable tasks hitherto performed by analysts. This reduces alert numbers and ensures that analysts spend time on cerebral problem-solving rather than taxing, quantity-heavy tasks.
  • AI and automation have helped SOCs focus on continuous learning and knowledge management. Insights provided by AI into incident ownership, analyst-task matching, and commonly performed analyst actions help shorten marginal time to resolution even for complex incidents. If AI tracks all analyst actions performed in a SOC, and playbooks lend IR processes a visual form, sudden personnel losses no longer result in a loss of accumulated expertise. This expertise is instead stored within the organization for common use.

CV: What promise does this hold for the future?

RB: AI and automation hold considerable promise for the future. As both AI and automation are easily scalable, the benefits in terms of alert reduction and response efficiency will increase exponentially the longer companies use these features and the more alerts they use it on.

AI also can double up as a supplementary tool for security awareness and training. The longer it trains on data sets containing analyst actions and alert timelines, the more granular its insights can be regarding alert prevention and response best practices, most efficient response command-sets, ideal analyst team setups and incident linkages.

Automation will soon act as a bridge between security and allied functions, resulting in playbooks that orchestrate across functions. This includes use cases involving SSL certificate management, ticket management, facilities management and user provisioning/deprovisioning, and more. Any workflow that can be put down on paper will soon be made in SOAR tools for pan-organizational automation.

CV: Tell me a bit about your channel program and what sets it apart.

RB: We offer very lucrative discount rates for registered deals for our channel partners. In addition, we offer technical and sales training to enable our channel partners. With the focus we place on our channel partners, we have been able to grow our customer base significantly.

CV: There’s a lack of cybersecurity skills and knowledge in the marketplace– how can channel partners keep on top of what they need to know to find success in this arena?

RB: Once channel partners know specific pain points and needs of customers, they can tailor subsequent product and service offerings to those needs for a more fruitful relationship.

An open and transparent relationship between channel partners and product vendors will also help. Feedback sessions will help channel partners tune into trends in the security space based on other customers that product vendors have. Channel partners will also be able to aid product updates and development by conveying their own feedback from customers to product vendors.

Being in tune with third-party analyst reports and reputed security news sources will help reconcile channel partner experiences with the experiences of the security world around them. These trends can be used to educate customers, employees and product vendors alike.