How To Embrace Runbook Automation of Repeatable Tasks

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

Runbook automation is the process by which you define, build, orchestrate and manage workflows to support your cybersecurity operations, focusing on the automation of repetitive tasks that allow you to speed up your incident response times while becoming more consistent in your response approach and execution.

 

Runbook automation is commonly seen in the IT world wherever lots of sysadmins run large amounts of infrastructure, but over the last couple of years, we have seen the requirement for runbook automation in SOAR platforms dramatically increase as CSOC analysts get to grips with the scale of incidents they must respond to. Beyond basic connectivity, data flow and automated outputs, the more advanced SOAR platforms provide for more advanced automation, process orchestration across different tools and technologies, as well as case management.

 

I spoke to a CSOC Director at one of the larger financial services businesses in the US and asked him what he focused his team on when it came to automating his CSOC, he told me that they first focused on the tasks that their analysts spent the most time on.

 

Alert Identification:

As alerts come in for analysis, usually from the firewall, network, IDS and other sources, the initial identification phase requires sifting through a large amount of data, mostly noise, which then leads to follow up tasks for an analyst to perform. Most of these processes are standard and have probably already been documented, making alert identification and correlation is the low hanging fruit of runbook automation.

 

Triage:

Analysts need to investigate activities in the environment to validate legitimate incidents underway and this task is often limited by security and forensic analysts availability.  The number of analysts in your CSOC does not scale well, so during the initial investigation and triage stage, runbook automation is a fantastic way to get ahead of the curve.

 

Report Generation:

With some technology solutions reports are generated automatically, while others are assembled manually after manual investigative effects and putting these together can consume a lot of an analysts time.  By automating the process of report generation with runbook automation, you can dramatically cut down on the time analysts spend on reporting, allowing them to focus on more important tasks in the CSOC.

 

When looking towards runbook automation of repeatable tasks, CSOC directors are demanding some, if not all, of the following functionality to help them improve their workflows.

 

SOP Automation

CSOC teams want to be able to automate their standard operating procedures as much as they possibly can, instead of merely triggering a remediation action. To accomplish these CSOC teams align their automated actions with runbooks. Some SOAR platforms enable this by providing either a GUI based configuration panel or command line tools that allow analysts to automate their triage, investigation and remediation activities and most SOAR vendors provide runbook templates or pre-canned runbooks for their customers.

 

Case Management

Many CSOC’s are still using traditional case management and ticket systems, but these tools are very often inadequate for a CSOC analysts needs, with analysts very often requiring transparent communications channels between the CSOC and IT operations in order to support shared processes.  Leveraging runbook automation in case management requires central management capabilities to initiate, communicate and monitor the CSOC’s activities throughout the lifecycle of incidents and events.

 

Process Orchestration

The modern CSOC with an eye on runbook automation requires process orchestration to work across their different tool sets.  For example, an investigation process often involves fetching the data, analyzing the data, working out the incidents and who was affected, then communicating the results to the right people, before taking the right actions to remedy the incident.  To get this right means that a CSOC needs to well document their process and have the right tools which integrate with each other to make it happen, meaning that your cybersecurity produces need open API’s and solid developer support.

 

I spoke to the CEO of SOAR vendor CyberSponse Joseph and asked him how SOAR has evolved into playbook management over the last two years.  He told me “Open source playbooks are the future, sharing recipes of these playbooks is the only way to scale and ensure the industry actually can respond to threats as quickly as they are created. The community shared approach is becoming almost started and through the Incident Response Consortium, this provides the forum and the audience to see this approach scale to market and break all the rules of traditional playbook development.”

 

How To Choose A SOAR Platform With Runbook Automation

 

When deciding which SOAR platform to use for your CSOC, there are some important considerations that need to be taken into account before making any technology choices that may impact upon your CSOC operations.

 

Integrations

The number of integrations that a SOAR platform can handle is probably the most important factor to consider when choosing a SOAR platform, as most of the tools you will use in a CSOC rely on the use of APIs to perform automation activities.  The more integrations a SOAR platform can accommodate in the areas of endpoint security, network security, antimalware, identity management and forensics, the higher the chance that integration and ongoing management efforts will run smoothly. Messaging and communications tools are also important integrations to consider, allowing teams to communicate across different units in response to a threat.

 

Event Management Tool Alignment

Because event management tools are usually implemented with some sort of defensive motivation in mind, it means that you have to automate detection, response and investigation tasks and processes.  It also means integrating with a SIEM tool, because this is ultimately where all the event management in a CSOC is taking place. You need to carefully consider how events are passed between different toolsets and reported when considering runbook automation.

 

Implementation & Ease of Use

Some SOAR platforms and runbook automation tools are GUI driven, with well designed and thought out runbook creation tools, but others force analysts to use a command line which isn’t ideal as analysts should not be grepping a command line to look for information during an incident.  The creation and monitoring of runbooks and their workflows should be fluid, with collaboration between team members and reporting baked into the platform for easy execution by analysts.

 

Ultimately runbook automation can never replace skilled and experienced analysts who know their environment and know how to properly react when an incident takes place. Some runbook automation tools offer pre-built workflow libraries for specific incident types and this can help jump-start the runbook automation process for teams desperate to implement automation.  

 

While the breach landscape is ugly and getting uglier by the day, CSOC teams need to start detecting and responding faster than ever before and unless a CSOC implements automation in one way or another, it’s unlikely that they will ever get ahead of incidents.

Post provided to you by @InfosecScribe

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
90 Followers
About CyberSponse, Inc.
CyberSponse Incorporated, a global leader in cyber security automation & orchestration, helps accelerate an organization’s processes, security operations teams and incident responders. The CyberSponse platform enables organizations to seamlessly integrate, automate and playbook their security tool stack, enabling better, faster and more effective security operations. With a global presence, offering an enterprise platform, Cybersponse enables organizations to secure their security operations teams and environments.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel