Best of both worlds: automated cloud access management and incident response

by Eldad Livni on February 7, 2019

Cloud adoption has done a lot of good for businesses in driving innovation, agility, and scale. But as organizations adopt cloud services into their IT infrastructure, their security teams are facing a new wave of security challenges. Cloud security data and processes are often isolated from traditional security measures, requiring multiple consoles to manage overall security posture. The result of these disparate environments: a lack of visibility and control. The agility and globally dispersed nature of applications hosted in the cloud – as well as the users consuming them – makes it tough to reconcile traditional security access and compliance policies.

Security at the speed of cloud

Luminate’s Secure Access Cloud™ and Demisto bi-directional integration solves these challenges and more. It provides joint customers with cloud compliance enforcement and incident response across cloud and on-premise infrastructures. By leveraging Luminate’s unique audit trail of users’ actions across all applications and Demisto’s orchestration engine, the integration improves analyst efficiency and shortens their decision-making cycle. Additionally, it enables companies to enrich and resolve security alerts in real-time and from a single interface.

Sponsorships Available

Analysts receive incident data and unique SSH, RDP, and HTTP access logs from Luminate within Demisto and can trigger automated playbooks tied to those incidents. They can run thousands of commands interactively, and then block and unblock a corporate user or contractor access through Luminate from within Demisto, either as automated playbook tasks or in real-time.

On top of that, through the integration with Demisto Enterprise, Luminate’s enforcement capabilities are enriched with intelligence data from hundreds of other security tools. This helps coordinate the response to incidents across different security functions.

How it is done in practice – integration features:

Receive incident data from Luminate within Demisto and trigger automated playbooks tied to those incidents.
Block and unblock corporate user or contractor access through Luminate from within Demisto, either as automated playbook tasks or in real-time.
Get Luminate’s unique SSH, RDP, and HTTP access logs within Demisto for further investigation and incident enrichment.
Leverage hundreds of Demisto product integrations to further enrich Luminate incidents and coordinate response across security functions.
Run thousands of commands (including Luminate’s) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.

Automated Cloud Access Management and Incident Response Luminate

Take a page from the automated playbook – use case #1

Let’s take a look at the following use case: the response to cloud security incidents and its automated enrichment. When cloud security consoles are isolated from other security functions, it becomes time-consuming and repetitive for security analysts to cross-reference alerts and get further context. This further leads to differing response quality.

Using Luminate, security teams can ingest incident data into Demisto and trigger standardized, automated playbooks in order to respond to each incident.

For example, a playbook could query Luminate for HTTP and SSH access logs data, cross-reference that data with intelligence from SIEMs and threat intelligence tools. Analysts can also query Luminate to block affected users’ access to all sensitive applications, whether on-premises or in the cloud.

The joint solution minimizes screen switching, manual reconciliation of data, and repetitive work for security teams. Unifying and automating response processes across cloud and on-premise infrastructures also helps security teams gain central oversight and coordinate actions at scale.

Goodbye threat investigation hassle – use case #2

Automated responses and standardized processes don’t always cut it when we’re talking about complex threats. Attack investigations usually require additional real-time tasks such as pivoting from one suspicious indicator to another to gather critical evidence, drawing relations between incidents, and finalizing resolution. For analysts this means a lot of screen-switching and endless documentation-chasing even after the investigations end. Precious time is being lost here.

By running Luminate commands in the Demisto War Room, analysts can obtain new actionable information about the attack and gain greater visibility in real-time. They can also run commands from other security tools in the War Room, ensuring a single-console view for end-to-end investigation. Working from one common window will allow the analysts to work fast and have a full task-level view of the process. Moreover, the War Room documents all analyst’s actions and suggests the most effective analysts and command-sets with time.

The War Room allows analysts to quickly pivot and run unique commands relevant to incidents in their network from a common window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from the same window. They will also prevent the need for collating information from multiple sources for documentation.

Best of both worlds

To sum it all up, this new integration enables your organization to:

Automate ingestion of Luminate alerts within Demisto for playbook-driven response.
Further enhance Luminate’s enforcement capabilities with intelligence from other security tools via Demisto’s orchestration.
Improve analyst efficiency by centralizing collaboration, investigation, and documentation, leveraging Luminate’s unique audit trail of users’ actions across all applications

The Luminate-Demisto integration allows organizations to not be hindered by the challenges of cloud adoption, but to leverage its agile nature for advanced compliance, timely incident-response and visibility, merging the best of both worlds.