Last updated at Fri, 17 Jul 2020 13:02:00 GMT
Today, more and more security teams are relying on chat and collaboration tools like Slack and Microsoft Teams to communicate quickly and effectively as they work to keep their organizations secure.
Day in and day out, security analysts are checking messages using the applications on their workstations and even their cell phones to communicate about the latest threats, alerts, and machines that need to be patched. And while communication among teams is improving, the challenges faced as a result of too many disparate tools firing too many alerts persist. Alert and console fatigue are real, and this all too familiar combination is making security teams less effective by reducing focus and increasing the time it takes to respond to threats.
With InsightConnect, Rapid7’s security orchestration and automation (SOAR) tool, you can take action against alerts, threats, and vulnerable hosts directly from your existing communication tools, increasing visibility and saving time so you can accomplish more and focus on what matters.
Early security operations from chat
In 2011, I was a security engineer in a forward-thinking research environment that instituted chat operations as a way to respond to events occurring on the network. This was a time before SOAR was coined. It was also a time before modern chat tools like Slack and Microsoft Teams took afoot.
We used an encrypted internal IRC server that we hosted ourselves and wrote custom API services and chatbot code to integrate with our tools. I remember working with a coworker on a RESTful-based API for Nagios so we could schedule host downtime from chat. We also built an API service for our Black Hole Router, which allowed us to block hosts that were DoS our networks at the perimeter, all directly from chat.
It took time to wire everything up, but once we did, it was highly effective. Our team was able to respond more quickly because everyone in the channel was keyed in on the threats coming in, and more importantly, the remediation actions being taken. We were all in sync, working as a united defensive front.
Fortunately, many more products support APIs today. Cue Rapid7’s InsightConnect. Our security orchestration and automation offering has built-in functionality that allows you to create chatbots without code. Let’s take a look at what this is like in the next section.
Modern security operations powered by InsightConnect
We’ll begin with a security investigation triggered by Slack. This indicator could come from anywhere, such as a network or host log (e.g., InsightIDR, Rapid7’s SIEM solution), a phishing email, or a threat intelligence source.
However, in this illustration, someone impersonating Lauren shares a sign-up link in the company Slack channel. Jadon, an analyst on the security team, is skeptical of the message and quickly issues chat commands to find out more about the threat.
Let’s take a closer look at each of the conversation threads generated by InsightConnect. First, Jadon tries to unshorten the URL to get the actual domain. InsightConnect returns what looks to be a typo-squatted domain, using the unshorten plugin.
The domain doesn’t look good, so next we check it against a threat intelligence source. The company has a subscription to VirusTotal, so they use the VirusTotal plugin and it returns five positive anti-virus matches. Jadon is now very confident that this link is a threat and needs to be blocked.
Knowing that this source can cause further harm, Jadon immediately blocks it at the gateway by issuing a command to block the URL.
If you look at the timestamps, this investigation was completed within two minutes of Jadon being made aware of the message. Now, imagine analysts jumping through many different tools to accomplish these tasks. Furthermore, imagine 10, 50, or even 100 threats that need to be addressed in a single day. We can all work smarter, not harder, by giving our teams the information and context they need to respond to threats—right from the tools they are using every day.
This illustration is just one example of making your existing tools more effective. This workflow can also be fully automated or have a human intervention component where it posts to your chat tool asking for permission to block a host or patch a system. Our workflow builder allows you to create automations that align to your organization’s security processes.
Increase your operational efficiency
InsightConnect now features over 80 pre-built workflow templates that leverage Microsoft Teams or Slack, as well as the most popular security and IT solutions. By automating tasks using these chat-driven workflows, your team can improve collaboration, accelerate decision-making, and increase efficiency when investigating, responding to, and remediating incidents. Without the need to switch between user interfaces, you will save valuable time without sacrificing visibility.
Check out our toolkits to see how we integrate with popular security vendors: