Today, we’re going to be talking about how streamlining alert communications, through tools like Slack, can allow you to distribute alerts more effectively and resolve issues more collaboratively. Even better, when implemented correctly it can help address issues like alert fatigue or staffing issues within a SOC. We’re going to focus on three specific areas ChatOps can help increase security: distributed security alerting, automating alert validation, and automating enrichment tasks.
Without ChatOps, it can be difficult to both coordinate and collaborate on the different alerts that you might receive. An employee could flag something, a third party might contact the company after noticing something strange, or hackers could notify the company. None of those options are ideal.
But with ChatOps, teams can leverage a chatbot that will push notifications from different security tools to one place, allowing for easier incident recognition and increased security visibility.
Alerts are sometimes sent when routine tasks or updates occur and it can be difficult to determine what alert is from a routine task and what is from a real threat. By using ChatOps you now have an area where you can quickly determine the priority of the event, without having to login in to multiple different security consoles. This alone can make security operations much more efficient. With less time spent investigating false alerts, there’s more time to spend on the real ones.
When there is a real threat at hand, there are so many tasks that need to happen in order to respond effectively and efficiently. Automation can accelerate time-to-response by over 80 percent, and ChatOps can play a big role in that.
Leveraging ChatOps automation, processes, such as the querying of logs and lookups, can be automated directly from Slack. This way, when an alert is verified as requiring investigation, you can set into motion an entire workflow to enrich and investigate the alert and save valuable time. With less tools to wrestle with and more time to focus on the strategic work, your team can become measurably much more efficient.
With your security ecosystem set up to deliver alerts, incident notifications, and other data via your existing tools, security operations become more streamlined, collaborative, and efficient. Augmented with multi-factor authentication (MFA), analysts spend less time dealing with multiple alerts and more time triaging true positives due to a better signal-to-noise ratio.
To see a sample ChatOps workflow—or workflows for other automation use cases—check out our automation playbook, where we demonstrate how you can leverage SOAR tools to accelerate your day-to-day processes. That’s it for this week’s Whiteboard Wednesday. We’ll talk to you next time.
