Post Syndicated from Ryan Fried original https://blog.rapid7.com/2022/11/15/how-to-develop-a-soar-workflow-to-automate-a-critical-daily-task/
As the senior information security engineer at Brooks, an international running shoe and apparel company, I can appreciate the challenge of launching a security orchestration, automation, and response (SOAR) tool for the first time as well as investing your time and budget into making a new security platform your own. I’ve been working with Rapid7 for years now and have become a kind of evangelist for the user-friendly, low-code workflows that make SOAR a joy to manage and an important efficiency driver in our security program.
In this blog post, the third in a series of how-to guides on getting going with SOAR in general and with Rapid7 InsightConnect in particular, I’ll provide an overview of my experience developing a URL Blocking workflow to fit my organization’s specific needs – and perhaps those of your organization as well!
A Workflow to Automatically Block URLs in Multiple Systems
I built this workflow to address two very common use-cases:
- A user reports receiving a phishing email that does in fact contain a suspicious link
- We learn about phishing or other scams from threat intelligences sources that leverage external links
Upon learning about this likely malicious link, our team needs to conduct an investigation to decide what to do about it – historically this was a manual three-step process:
- Investigate the link and associated domain by pulling in threat intelligence from multiple sources to see what is known about it.
- If it is determined to be malicious, block the URL and potentially the whole domain in our email security system (Mimecast), our DNS filter (Cisco Umbrella) and our Palo Alto firewalls.
- Figure out who, if anybody, in our organization that had already clicked the link and if anyone, move to further steps in the response
As you can imagine, executing each of these steps manually can take a significant amount of time. Now, imagine conducting this process multiple times a day – especially since time is the enemy. Also, what if your security team is experiencing turnover? On my team, we recently lost an analyst and gained another. We needed a reliable and repeatable processes that any analyst can execute with minimal training.
That’s where a workflow such as this becomes so useful! New analysts don’t need to know all the places to block a URL in our organization. By executing a single workflow from Microsoft Teams, the URL that has been determined to be malicious is guaranteed to be blocked, in all the necessary places, every time. In addition, the workflow can also figure out if someone previously went to that link, and thus whether a given user or endpoint requires further investigation.
This was hard and slow to do manually, which I estimate consumed 30-60 minutes of analyst time, each time. To conduct this investigation manually, you have to go to each log source and look and search for the URL and update the local policies to block it going forward. But with the workflow I built, it becomes an instant process that only requires a minute or two of review after execution. It’s no wonder my security analyst team asked for this workflow specifically.
Want to see it in action? Check out this short video.
How Did I Develop this SOAR Workflow?
The best and easiest place to start for many SOAR workflows is with your Chatapps – I started with Microsoft Teams, but you can use Slack as well, it doesn’t really matter. They both do a great job of facilitating communications with select staff members, initiating SOAR workflows, and presenting the results.
Next, use Rapid7 plugins (how Rapid7 InsightConnect integrates into 3rd-party systems) based on the IT and security systems your organization uses and that are required for your particular automation workflow. And then put your logic and human decision and communication points into the workflow.
Once the workflow is complete, you’ll still need to do some testing to make sure it works as designed. There are always little things – for example, certain plugins like different formats. Cisco Umbrella just requires a domain, whereas for a firewall, you’ll need to use the entire URL when searching logs and updating block lists. The same goes for Mimecast and other email security platforms. But start small! Build out the logic more as you get more comfortable with the whole approach and as you get feedback from your user group.
How long did it take to get this URL blocking workflow up and running?
This URL-blocking workflow has about 20 steps or so. As far as time to develop. I put together the bones of it in a day or two, with just a few hours of total effort. The input validation, the testing part, actually took the longest–but no more than a week from start to finish to get this particular workflow out the door. And donating it to the InsightConnect community also took very little effort.
The key here is to not be afraid to keep testing and iterating. When in doubt, don’t hesitate to reach out to the Community via the Discuss Community to ask for advice.
Now, by leveraging this SOAR-based automation, it takes less than a minute to block a malicious URL everywhere it needs to be blocked. Previously, if you had to block a URL manually, one by one, it could take 40 minutes to an hour from start to finish. We run this workflow 10-20 times in a typical week. So that saves between 7-20 hours of analyst time a week; as much as half an FTE just from this one security automation! And the increased blocking completeness and speed is a further risk reduction bonus.
My Advice for SOAR Workflow Builders?
Rapid7 InsightConnect is one of those tools that does not and should not exist in a vacuum. You actually need the support and involvement of your other IT teams to deliver maximum value. Get that buy-in! It’s a security orchestration tool. So orchestrating multiple people, processes and technology is what it’s there to do!