Whiteboard Wednesday:

ChatOps: Distributed Alerting

5月 15, 2019

In this week’s Whiteboard Wednesday, Tyler Terenzoni, Technical Product Manager for InsightConnect, explains how ChatOps is innovating the security space. He breaks down the three main use cases—distributed security alerting, automated alert validation, and automated enrichment tasks, and details how your team can immediately save time and resources by implementing ChatOps.


Video Transcript

Hello and welcome to this week’s Whiteboard Wednesday. My name is Tyler Terenzoni, and I’m a technical product manager on Rapid7’s InsightConnect team.

Show more Show less

 

Today, we’re going to be talking about how streamlining alert communications, through tools like Slack, can allow you to distribute alerts more effectively and resolve issues more collaboratively. Even better, when implemented correctly it can help address issues like alert fatigue or staffing issues within a SOC. We’re going to focus on three specific areas ChatOps can help increase security: distributed security alerting, automating alert validation, and automating enrichment tasks.



Without ChatOps, it can be difficult to both coordinate and collaborate on the different alerts that you might receive. An employee could flag something, a third party might contact the company after noticing something strange, or hackers could notify the company. None of those options are ideal.

 

But with ChatOps, teams can leverage a chatbot that will push notifications from different security tools to one place, allowing for easier incident recognition and increased security visibility.

 

Alerts are sometimes sent when routine tasks or updates occur and it can be difficult to determine what alert is from a routine task and what is from a real threat. By using ChatOps you now have an area where you can quickly determine the priority of the event, without having to login in to multiple different security consoles. This alone can make security operations much more efficient. With less time spent investigating false alerts, there’s more time to spend on the real ones.

 

When there is a real threat at hand, there are so many tasks that need to happen in order to respond effectively and efficiently. Automation can accelerate time-to-response by over 80 percent, and ChatOps can play a big role in that.

 

Leveraging ChatOps automation, processes, such as the querying of logs and lookups, can be automated directly from Slack. This way, when an alert is verified as requiring investigation, you can set into motion an entire workflow to enrich and investigate the alert and save valuable time. With less tools to wrestle with and more time to focus on the strategic work, your team can become measurably much more efficient.

 

With your security ecosystem set up to deliver alerts, incident notifications, and other data via your existing tools, security operations become more streamlined, collaborative, and efficient. Augmented with multi-factor authentication (MFA), analysts spend less time dealing with multiple alerts and more time triaging true positives due to a better signal-to-noise ratio.

 

To see a sample ChatOps workflow—or workflows for other automation use cases—check out our automation playbook, where we demonstrate how you can leverage SOAR tools to accelerate your day-to-day processes. That’s it for this week’s Whiteboard Wednesday. We’ll talk to you next time.

Security Automation Can Be Simple

Check out some common workflows and best practices in our Security Orchestration and Automation Playbook.

Learn more

InsightConnect Demo

Want to see InsightConnect in action?

Request a demo