Startup Spotlight: Demisto's Security Chat-ops Platform
Four McAfee veterans create a security operations platform that combines automation, collaboration and a clever bot.
Collaboration and coffee are two driving forces behind Demisto, a startup that operated in stealth mode until its late May announcement of a $6 million round of Series A funding led by venture capital firm Accel and several security industry veterans.
Demisto's four co-founders worked together at McAfee, where they downed many, many cups of coffee together, said Rishi Bhargava, the company's VP of Marketing.
"If you look at the dynamics in our backgrounds, we all love technology, we all love coffee, and we all are very open to criticism and feedback," Bhargava said. "Those are the traits that bonded us together. All of us are really about innovative products as well. We worked for companies that introduced new products every few years."
Bhargava joined McAfee after it acquired his prior employer, application security startup Solidcore, in 2009. Co-founders Slavik Markovich, Guy Rinat and Dan Sarel worked for Sentrigo, a database security startup purchased by McAfee in 2011.
Though all four men worked on different products at McAfee, Bhargava said, they shared an "ah-ha" moment over some of those cups of coffee.
"A common theme had emerged when we were talking to customers. Security products in each of our domains did not talk to security products in other domains," he said. "Security analysts are so freaking busy that they don't have time to talk to each other."
Their proposed solution, the Demisto Enterprise Security Operations Platform, employs automation to streamline security operations and incident management processes.
Meet the Bot
Automated actions are delivered via a bot called Dbot. The friendly looking bot has a bio on the "meet the team" page of the company's website that says it is "not only smart, resourceful with lots of integrations but also witty." As an example, Bhargava said Dbot responds "yes, master" to commands from security pros.
Demisto hopes Dbot's humor will find a receptive audience among those pros, who often operate in high-pressure environments and "generally get only bad news," he said.
Dbot integrates with 35 popular security products, including endpoint tools, firewalls and SIEMs. The bot's engine delivers threat intelligence for IPs, URLs and files and aggregates feeds from multiple sources.
Dbot runs some 150 different built-in actions that can be combined into workflows found in security "playbooks" for quickly dealing with common incidents. Companies can also create their own playbooks or modify the out-of-the-box ones provided with the platform. Phishing incidents targeting executives can be immediately escalated, for instance.
The product includes collaborative elements that Bhargava said are just as important as the automation. "You cannot automate everything, so you must enable analysts to solve problems more quickly."
Experts in different areas can enter "investigative war rooms" where they can chat with each other, take notes and communicate with the bot, asking it to block a certain IP address, for example. DBot also identifies related and duplicate actions, saving valuable time and preventing potentially negative actions, Bhargava said. "If you block an IP address but do not tell your peers you did that, it can be incredibly harmful to your environment."
Group chat rooms and the use of bots to automate many operations-related tasks are common features of a communications model called ChatOps, that is popular with software development teams.
Demisto has borrowed some other ideas from developers, as well. A community of some 420 security pros share tools, processes and playbooks via the Slack messaging tool and can attend periodic face-to-face meet-ups in San Francisco or the company's Cupertino, Calif., headquarters.
The Demisto team, big fans of Slack, also created a free, open source version of Dbot that helps users research URLs, IP addresses and files from within Slack -- though this Dbot does not integrate with any security tools.
Demisto's Plans for Growth
Demisto plans to use some of its funding to beef up sales and marketing resources, said Bhargava, noting that about three-quarters of the company's 19 current employees are in engineering.
In addition to direct sales, Demisto is working with channel partners and other service providers, Bhargava said. The platform is fully multi-tenant and thus easy to sell through partners, he said. "We've all learned from our pasts at other companies that it should be that way from the get-go so you do not run into issues later on."
Unlike some other security products, Demisto also does not believe in charging by the integration or the automation action, he said.
Fast Facts about Demisto
Founded: July 2015
Founders: CEO Slavik Markovich, VP of Marketing Rishi Bhargava; VP of Products Dan Sarel and VP of Engineering Guy Rinat
Product: Demisto Enterprise Security Operations Platform
HQ: Cupertino, Calif.
Funding: $6 million, including investments from venture capital firm Accel and several security industry luminaries, including Stuart McClure, founder, president and CEO of Cylance; Kevin Mahaffey, co-founder and CTO of Lookout; and Blue Coat President and COO Michael Fey.
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.