Last updated at Tue, 09 Jan 2024 16:47:47 GMT
Some days, it can feel like the influx of vulnerabilities will never end. Despite having a vulnerability management tool, you can’t seem to unbury yourself from the pile of alerts, leaving your to-do list hopelessly long. Fortunately, automation and orchestration can help you streamline workflows so you can become more efficient and effective at identifying and addressing issues.
In this post, we’ll cover four ways to leverage security orchestration and automation (SOAR) to improve your vulnerability management program and save time in the process.
1. ChatOps-driven efficiency
The more systems, applications, and endpoints you monitor, the more alerts you can expect to receive. However, many of these alerts get lost in your inbox or otherwise overlooked, leaving serious vulnerabilities open for exploit. Security orchestration and automation can send alerts from vulnerability management solutions like InsightVM (which are designed to sort out false positives) to specific channels in Slack or Jira, ensuring better visibility and faster remediation. This is called ChatOps.
For example, you could set up a workflow so that if an externally-facing asset has SMB turned on, it gets sent to a specific Slack channel, where the right people who can take action on it will see it.
This provides a central location for all notifications so that teams aren’t stuck having to log in to multiple tools (thus elevating visibility). Then, when an alert comes in, SOAR can kick off a secondary workflow to automate the orchestration of the work.
2. Threat intelligence
Threat intelligence can give companies a considerable leg up on their adversaries, yet most don’t have the time or resources to give it the time of day. This is another area where SOAR can drive massive efficiencies. With tools like InsightConnect, you can build workflows to automatically monitor advisory lists. Not only can the discovery be automated, but you can also set up decision and action points based on what is detected to further automate and accelerate the process.
For example, InsightConnect can monitor when a new vulnerability is disclosed, then kick off an assessment of your environment with InsightVM and alert you right away so you can quickly catch issues. By automating this traditionally manual and multi-stakeholder process, you can reduce the number of people involved and address issues faster.
3. DevOps automation
It’s not uncommon for DevOps teams to spin up AWS instances without a second thought about security—and the security team often has no idea. More often than not, these assets need to be assessed to ensure there are no vulnerabilities before they are brought into your environment.
Vulnerability management solutions like InsightVM that have a direct integration with AWS Security Hub can automatically share vulnerability findings related to AWS assets. Doing so provides a centralized view to security, IT, and DevOps teams of potential risk in their environment. This integration can be taken a step further with [SOAR solutions like InsightConnect, which enable action to be taken on the vulnerability findings. For example, InsightConnect can automate workflows to remediate vulnerabilities on an AWS asset.
4. Patching and containment
The two most common workflows we see security teams struggle to keep up with in a timely manner are patching and containment. It’s worth noting that both of these automated workflows are available at no additional cost with InsightVM.
Automation-Assisted Patching
We have integrations with patching tools like BigFix and Microsoft SCCM to automate the aggregation of vulnerability intel and apply patches. We call this Automation-Assisted Patching. Human decision points can be inserted so you can decide if you want an issue remediated, and if so, the workflow will continue. InsightVM can then automatically re-assess the impacted assets to ensure the patch was successful.
Automated Containment
It’s impossible to remediate every vulnerability, but you can decrease exposure from vulnerabilities by implementing a temporary or permanent compensating control in your network access control systems, firewalls, and endpoint detection and response tools.
Let’s say you have a vulnerable asset, but you can’t shut it down because it’s business-critical. With Automated Containment, you can quarantine the vulnerable asset, so it won’t be exposed to the rest of your environment. This keeps the asset and your business running safe. Human decision points can also be introduced to this workflow so you can decide when to isolate a business-critical asset, or you can set it to do so automatically.
Modern vulnerability management necessitates SOAR
SOAR helps facilitate collaboration by breaking down the silos that traditionally have separated security, IT, and DevOps teams. By automating tasks that are manual, repetitive, and often require multiple stakeholders to complete, businesses can drive massive efficiencies and catch and resolve vulnerabilities faster. This is the key to running fast while staying secure, and for modern companies looking to stay several steps ahead of adversaries, SOAR is the way.
Since InsightConnect has many pre-built workflows integrated directly with InsightVM, current customers can begin using some of these key SOAR functionalities at no additional cost.