(lively music) >> Hi and welcome to another CUBEConversation, I'm Peter Burris from our outstanding studio in Palo Alto, California, and today we're talking security which is a specially important topic in today's digital business driven world. And specifically we've got Slavik Markovich, who's the CEO and founder of Demisto. Welcome to theCUBE. >> Thanks for having me here. >> So Slavik, there's so many directions we can take the conversation about security these days, but let's just start with a relatively simple one. Security operations is becoming increasingly important but remains especially complex. How is the problem manifesting itself in business today? >> Yeah, so I would summarize it really simply as having too many with too few. There's just too many alerts, too many security tools, very fragmented landscape, and there's not enough analysts to handle all the security events that are coming up. And so this is a huge problem in a sense that security's hurt by that. You have a lot of events that are just left on the table unhandled. And so, that's what we are kind of trying to solve, is helping the analysts basically have a much better life and process and handling those kind of issues much more efficiently. >> So if you go inside, if you go to a security operation center, a SOC, you rarely encounter a party. >> Yeah, they're not happy. >> The more likely scenario is you see some people who are highly stressed and largely unhappy, and counting the hours until they can retire. And partly, that's a function of the fact that we got all these tools, and we got all these, higher increasing risks as more folks attack, but there's also some uncertainties associated with actually how processes work. So to what degree can a solution like Demisto bring some clarity to how security processes should operate within a SOC? >> Yeah, it's a great question. So as you said, when you go and visit those analysts, they're very unhappy. They're unhappy because people have this concept of when you go into security, you're going to deal with the sophisticated stuff, you're going to deal with finding that nation-state attacker, and this malicious, super persistent malware and some. >> Oh you're at the top. You're going to be a hero. >> Yes, you're going to be the hero. And that's a very interesting perception, but the end result is that most of your day is handling the basic failed logins and VPN alerts, and change password requests, and phishing attempts. Things that are very mundane. >> High risk drudgery. >> Yes, high risk drudgery. That's perfect. And so those analysts just hate this process, and they spend so much time on it, and this is why you see this turnover of analysts that don't last over 18 months or 20 months in a job because they are dealing with all this mundane stuff. And even when you are dealing with the more interesting stuff, that's, as you said, there's no consistent process of how to handle it. And there might be a document somewhere on your weak, your sharp point, that specifies what you should do. But there's no way to actually quality assure that and make sure that what you're doing is indeed matching the process. And so, yeah the analysts are getting bogged down by those mundane alerts, don't have time to look at the interesting stuff, and when they do have time, it's very hard to follow the process. And what we at Demisto are doing and trying to fix that problem, is that we are trying to solve it by having a single platform handling all of the life of the SOC. Meaning handling all the knowledge management, all the processes, and the people are signing in all of that. And so what we're doing is having a full kind of case management for incidents, including all the metrics, and all the salays and assignments, and evidence-tracking and reproductively signing them, and so on. But beyond that, we all you to specify a consistent process like you do in a visual chart. So you basically just drag and drop all the steps, and we then allow you to take those steps and replace them with automations. Because we have integrations with hundreds of security tools. And those hundreds of security tools provide thousands of actions that you can do across those security tools. And so, when you have a step that says check the prevalence of this file, or detonate this in a sandbox, or do any of those, you can actually replace that manual step with an automation and save the analyst the time of actually going ahead and doing that. And so, not only we're bringing consistency to the process, but we're also bringing a lot of efficiencies because you can just replace those manual tasks, and then a lot of the kind of simple mundane incidents, you can just take away from the analyst completely so he can focus on the really important stuff. And then beyond that what we're offering is when you have to get off the pre-defined process, and so we're dealing with a smart adversary, some of them are super smart, it's not-- >> Some of them are the smartest. A lot of money to be made in messing the other companies up these days. >> Exactly, and not all incidents are cookie cutter, and so when you have to get off the pre-defined process, we allow the analyst actually to collaborate with other analysts, invite them to our virtual war room, and then also talk with our bot and do interactive stuff beyond the pre-defined. So we can go to our D-Bot and say, hey, dear D-Bot, retrieve this file from this end point, detonate it in this sandbox, bring me the result. Oh, it's malicious. Then isolate the end-point and block this IP. And you can do all of that in one single place without going to 10 different tools and then copy-pasting it into your case-management system. >> Right, so let me get sure I got the summary. Because you said a lot there. >> Yeah. >> So, trend. A lot more users whether they're actually human beings, or devices. Much greater surface area from an attack standpoint, so a lot more events are being generated. Those events can now be trapped by an existing tool set that, again, corresponds to that degree of specialization, and then when they generate alert, you have a low code approach to being able to, through APIs, capture that information, simply describe automations, and then have the shop follow the processes and conventions and routines associated with the automations that they design. Have I got that right? >> Exactly, and so it's not like we're saying we're going to replace your analyst with automation. That's usually not the case. But we do allow you to basically apply a process, a consistent process, that has automations to make their analysts work much more efficient. And so, as you said, an incident comes in and it can be from various sources. It can be from a high-fidelity security tool, or from your theme, or from your mailbox, somebody reporting abuse or something like that. We take that incident, automatically apply the process, run all the automations, and then allow the analyst to make the important decisions. So the analyst sees the data and then decides, oh, you know what, this is malicious, and then we can do the response. Or it's not malicious, and then we can close the ticket and so on. But we're not replacing the analyst, we're just elevating his level. >> Are a lot of these integrations out of the box? >> Yeah, we have over 200 integrations out of the box with your usual security tools, IT tools, active directory, and your end-point, your network, and so on, so forth. >> And the second related question is obviously one of the biggest challenges that you face with any of these very powerful tools is that they can take a long time to configure, set up, and then roll out. Time to value associated with Demisto. What is it? >> So just the installation and configuration of the integrations, it's a matter of an hour and you're up and running. But then when you take a use case and build a playbook and automation for that, this is usually takes a day. So per use case, it takes time to adjust it to the process of the enterprise. And so out of the box we come with about 50 playbooks, but then an enterprise will take those playbooks and adjust them to their own processes. >> That's great, so you've been around since 2015, first shipped 2016. Where are you on maturity? >> So we've been growing like crazy, in a sense. We're now releasing our fourth version of the product. 4.0 is coming to Black Hat. We have hundreds of customers, about over 100 employees, and we've been growing and hiring aggressively. >> So if you think about what the next two years is going to be, higher risk, more devices, more work to do, but tooling like Demisto is going to be able to better manage a lot of that and facilitate collaboration amongst the team. For example, I believe you have some previous slack integration reckoned in the tool. >> Yeah, that's true. >> So this becomes a way that you can actually, it's a tool for running your SOC. >> Exactly, it's a tool to run your SOC. But when we kind of look ahead of that, what we really focus on, what I'm excited about, is the capability to enhance or add more efficiencies to the process by using machine learning, and then trying to learn from the organization and feed that knowledge back into the organization. So if we see analysts interact with our bot and asking for certain actions for certain types of incidents with certain indicators, we can learn from that and then a new incident comes in, we can then recommend it and say, hey, you know what, what we've seen in previous incidents, this is what worked. This is a sequence of actions that worked, and we can feed that back into the analyst. And we can actually feed it back into building the playbooks and enriching them even more. So I think we can actually use machine learning across the entire kind of platform, and even take it out outside of the SOC and into other use cases. So we already integrate with AWS, so we can actually help you with all the Cloud securities. If you detect something we can take a snapshot, we can change IAM-- >> You mean end to end. >> End to end. >> So they're going to do fine with their own security, but you mean end to end 'cause you're incorporating them into your security chain. >> So we view ourselves as kind of the brain of the process, so we want to help you define what should happen and we'll actually invoke and execute that across your security tools. So part of it can be on AWS, part of it can be with your compliance team or with your vulnerability assessment team or OP security team, kind of expand even beyond the traditional use cases of the SOC into anything in fact in security that has a process tied to it. >> Slavik, thanks very much for being on theCUBE and talking about security. Incredibly important topic that requires a lot more conversation, but even more doing. >> Hey, thanks for having me. >> So once again, Slavik Markovich is the CEO and founder of Demisto, and you've been watching another CUBEConversation. Until next time. (lively music)