Last updated at Mon, 21 Jan 2019 14:00:00 GMT
As a security analyst at a university, Adam Elliott is responsible for ensuring the security of the school in an informational capacity, working with his team to perform compromised account remediation, monitor emails, and help the support team. To complete these tasks, his team leans on Rapid7’s security orchestration and automation solution (now available as InsightConnect on the Insight platform) to reduce time to resolution, maximize resources, and overcome ecosystem complexity.
We recently had the opportunity to sit down with Elliott to discuss why his team chose Rapid7 and how our solution has increased the overall effectiveness of his security team.
Automated security alerts boost responsiveness
“As we evaluated solutions to automate our security processes, Rapid7’s solution seemed much more intuitive than some of the others we considered,” Elliott said. “It was clear to me during my assessment of its capabilities that the solution could do what I needed it to do. I was able to just dive right in and get to work.”
Elliott’s team immediately began picking off the low-hanging fruit. He said they deal with an exorbitant amount of alerts every day, most of which are minor incidents they don’t have the resources to remediate. With that in mind, they decided to leverage automation to start responding to some of these alerts. They now automate their processes for responding to incidents and prioritizing the large volume of security alerts they receive on a daily basis.
Workflows streamline incident response
Elliott’s team is responsible for blocking sites that are malicious or have bad reputations on their network. When users think they’ve been wrongfully blocked from a site they want to visit, they notify the team.
“In the past, we would get notified via email, which meant we had to constantly monitor our email account, investigate the domain and decide whether to block it, then go in, do a remediation, and respond to the user manually each time,” Elliott said.
To streamline this process, the team built a workflow: Using a direct integration with Slack, they now receive a notification when a request comes in, along with automated options to respond so they don’t have to manually reply to the user. This workflow then executes some investigative processes on the domain and provides a follow-up report.
“The best part is that all of this happens within Slack,” Elliott said. “We can make an educated decision without having to jump from tool to tool. A process that used to take us an average of 15 minutes now takes us between two and five minutes.”
Effective security alert prioritization saves time
According to Elliott, Rapid7’s security orchestration solution also helps him prioritize alerts far better than he could before.
“With a steady influx of hundreds—sometimes thousands—of security alerts each day, our struggle with alert fatigue was real,” he said. “On a good day, the team was able to respond to 5% of the alerts we received. With automation, we can now meaningfully address around 800 alerts a day.”
Elliott and his team are in the process of implementing some additional workflows that will allow them to address at least 50 events a day.
“Right now, there are over 97,000 events sitting in my inbox—each one requiring roughly 20 to 30 minutes to investigate,” he said. “These new workflows will deal with each and every one of them automatically, saving me and my team hours—even days—of work.”
Greater convenience and team availability: A win-win for everyone
According to Elliott, security orchestration and automation has delivered value in two key areas: convenience and availability.
“Being able to work an incident completely from Slack is far more convenient for us,” he said. “If I’m notified of an incident at home, I no longer have to pull out my laptop, log in to the VPN, and go into all my tools to figure stuff out. All I have to do is pull out my phone, answer some questions on Slack, and it’s done. It’s awesome. The process is convenient for us, and in turn, we are more attentive and responsive to users.”
Elliott said every once in a while, a request will come in after hours, such as a student needing access to a particular site for class. Because students often wait until the last minute to do their assignments, there’s a sense of urgency there. In these cases, he said, being able to have a response in five minutes makes a huge difference.
“And for our part, we appreciate being able to help them out quickly without having to go through a whole complicated process,” he added.
Enhanced team efficiency enables increased security effectiveness
The low-hanging fruit Elliott’s team has picked off—such as prioritizing alerts and automating incident response—has freed them to address important security priorities, he said. Since that time, they have been able to move further into enhancing what’s already in place, with a focus on availability. According to Elliott, this has made all the difference in getting to the next level of strategic impact.
“Like any security team, we juggle multiple priorities and always strive to be as efficient as possible with the resources we have,” Elliott said. “The security workflows allow us to do more with less, improving the level of service we deliver to the community while freeing us up to take on more advanced projects that create an even stronger security foundation for the university as a whole. We’ll use Rapid7’s solution to streamline even more of our services and processes in the future, but it has already proven to be a valuable asset in enhancing our team’s effectiveness.”