Come with me on a journey, friends. The protagonists of our story are you and me. They’re thousands of security analysts and sysadmins. They’re people who get s**t done (often the hard way), through sheer force of will and a not-insignificant amount of elbow grease.
In the back of their minds, though, think about what could be. They imagine their vulnerability management and patching process not as the disparate components of today, but rather an elegant symphony of algorithmically driven API calls self-healing the environment while they lie back and listen to the musical hum of processor fans.
:musical_note: I can show you the world… :musical_note:
Okay, let’s do some real talk now. Are pie-in-the-sky automation workflows possible? Eh, maybe. But in the same way I can’t fake Scott Weinger’s voice, I’m not going to try and force-feed what I believe to be largely impractical solutions to really hard problems.
Security orchestration and automation isn’t about complex, multi-faceted workflows. It’s about taking the everyday tasks that we perform and making them easier. Vulnerability management and patching are packed with such tasks that are ripe for some sweet, sweet orchestration and automation. A common thread for those tasks is IT and security needing to work together—in each other’s tools!—to get things fixed, and that’s why Rapid7 has released the Vulnerability Remediation Toolkit for InsightConnect, Rapid7’s SOAR solution. If you’ll indulge me, I’d like to take you through a scenario that I’m sure many an analyst and sysadmin has gone through.
:two_drinks_deep_karaoke: I can show you the world…
Our story features two heroes: a security analyst and a sysadmin. They are about to go through an entirely ordinary scenario in their lives. A brand new critical vulnerability is about to drop. It’s one of those annoying ones that impacts software that’s widely deployed but hard to control—possibly a coffee-themed runtime environment, who can say?
The security analyst goes through a regular review-and-advise cycle for vulnerabilities. For the most part, the agents they’ve deployed gather data automatically at regular intervals, so they don’t need a lot of babysitting, and the analyst has a lot more on their plate than just vulnerability management. Some days, however, a bad one comes across the wire that requires a more immediate response.
Today is one such day.
Upon seeing the vulnerability’s details, the analyst becomes concerned. The risk assessor in them can see that exploitation will be relatively easy, and they know that at least some systems in their network will be impacted. It also has one of those catchy names that’s going to appear at the top of a hundred vendor blogs, and it is a certainty that their boss will be asking about it, so they’d best get to work.
Knowing any resolution will require IT’s assistance, the analyst jumps into a shared Slack channel with their favorite system administrator. After giving a quick overview of the issue, they dive in. Taking advantage of fresh data from the agents, the security analyst starts the first of many workflows they’ll use with InsightConnect. A quick Slack message to the InsightConnect bot sets off a search query within InsightVM for assets impacted by the critical vulnerability, and within a few minutes, the bot delivers the news: Two assets in the network are impacted.
With the vulnerable hosts identified, it’s time for the sysadmin to get in the game. The security analyst uses another InsightConnect workflow to look up the vulnerability details from Rapid7’s vulnerability database. This fires back with the critical piece of information that the sysadmin needs: the solution information. With the patch information in hand, the sysadmin proceeds to quickly assess the systems in question to ensure that applying the patch won’t hurt anything important. This is a good news, bad news sort of thing. The good news? One of the systems can be patched without consequence. The sysadmin calls another InsightConnect workflow through the slackbot, kicking off a patching sequence in BigFix for the safe-to-patch asset.
The bad news? A critical business application will be impacted if the patch is applied to the other asset. Nothing is ever simple. The sysadmin submits an exception request for the patch and asset, and another InsightConnect workflow notifies the security analyst of the pending exception. This story does have a happy ending, though. The sysadmin noted that the vulnerable system is sitting in a segmented corner of the network. The risk is acceptable, and the security analyst approves the exception via the slackbot. All is well. Our heroes may rest.
Despite idealizing some aspects of the above scenario, any security analyst or systems administrator will recognize the basic steps that were taken here. What they may not realize is the speed with which resolution is actually possible. No single task is in itself daunting, but the streamlining of them via chat-integrated workflows in InsightConnect eliminates the need to log in to multiple tools and perform actions across a variety of complex user interfaces. It doesn’t take a gargantuan, highly complex workflow to make day-to-day operations a lot more pleasant for everyone. Instead, tie Slack to the remediation process with the workflows from the Vulnerability Remediation Toolkit for an easy lift with a quick payoff.