All posts by Ryan Fried

How to Develop a SOAR Workflow to Automate a Critical Daily Task

Post Syndicated from Ryan Fried original https://blog.rapid7.com/2022/11/15/how-to-develop-a-soar-workflow-to-automate-a-critical-daily-task/

How to Develop a SOAR Workflow to Automate a Critical Daily Task

As the senior information security engineer at Brooks, an international running shoe and apparel company, I can appreciate the challenge of launching a security orchestration, automation, and response (SOAR) tool for the first time as well as investing your time and budget into making a new security platform your own. I’ve been working with Rapid7 for years now and have become a kind of evangelist for the user-friendly, low-code workflows that make SOAR a joy to manage and an important efficiency driver in our security program.

In this blog post, the third in a series of how-to guides on getting going with SOAR in general and with Rapid7 InsightConnect in particular, I’ll provide an overview of my experience developing a URL Blocking workflow to fit my organization’s specific needs – and perhaps those of your organization as well!

A Workflow to Automatically Block URLs in Multiple Systems

I built this workflow to address two very common use-cases:

  • A user reports receiving a phishing email that does in fact contain a suspicious link
  • We learn about phishing or other scams from threat intelligences sources that leverage external links

Upon learning about this likely malicious link, our team needs to conduct an investigation to decide what to do about it – historically this was a manual three-step process:

  1. Investigate the link and associated domain by pulling in threat intelligence from multiple sources to see what is known about it.
  2. If it is determined to be malicious, block the URL and potentially the whole domain in our email security system (Mimecast), our DNS filter (Cisco Umbrella) and our Palo Alto firewalls.
  3. Figure out who, if anybody, in our organization that had already clicked the link and if anyone, move to further steps in the response

As you can imagine, executing each of these steps manually can take a significant amount of time. Now, imagine conducting this process multiple times a day – especially since time is the enemy. Also, what if your security team is experiencing turnover? On my team, we recently lost an analyst and gained another. We needed a reliable and repeatable processes that any analyst can execute with minimal training.

That’s where a workflow such as this becomes so useful! New analysts don’t need to know all the places to block a URL in our organization. By executing a single workflow from Microsoft Teams, the URL that has been determined to be malicious is guaranteed to be blocked, in all the necessary places, every time. In addition, the workflow can also figure out if someone previously went to that link, and thus whether a given user or endpoint requires further investigation.

This was hard and slow to do manually, which I estimate consumed 30-60 minutes of analyst time, each time. To conduct this investigation manually, you have to go to each log source and look and search for the URL and update the local policies to block it going forward. But with the workflow I built, it becomes an instant process that only requires a minute or two of review after execution. It’s no wonder my security analyst team asked for this workflow specifically.

Want to see it in action? Check out this short video.

How Did I Develop this SOAR Workflow?

The best and easiest place to start for many SOAR workflows is with your Chatapps – I started with Microsoft Teams, but you can use Slack as well, it doesn’t really matter. They both do a great job of facilitating communications with select staff members, initiating SOAR workflows, and presenting the results.

Next, use Rapid7 plugins (how Rapid7 InsightConnect integrates into 3rd-party systems) based on the IT and security systems your organization uses and that are required for your particular automation workflow. And then put your logic and human decision and communication points into the workflow.

Once the workflow is complete, you’ll still need to do some testing to make sure it works as designed. There are always little things – for example, certain plugins like different formats. Cisco Umbrella just requires a domain, whereas for a firewall, you’ll need to use the entire URL when searching logs and updating block lists. The same goes for Mimecast and other email security platforms. But start small! Build out the logic more as you get more comfortable with the whole approach and as you get feedback from your user group.

How long did it take to get this URL blocking workflow up and running?

This URL-blocking workflow has about 20 steps or so. As far as time to develop. I put together the bones of it in a day or two, with just a few hours of total effort. The input validation, the testing part, actually took the longest–but no more than a week from start to finish to get this particular workflow out the door. And donating it to the InsightConnect community also took very little effort.

The key here is to not be afraid to keep testing and iterating. When in doubt, don’t hesitate to reach out to the Community via the Discuss Community to ask for advice.

Now, by leveraging this SOAR-based automation, it takes less than a minute to block a malicious URL everywhere it needs to be blocked. Previously, if you had to block a URL manually, one by one, it could take 40 minutes to an hour from start to finish. We run this workflow 10-20 times in a typical week. So that saves between 7-20 hours of analyst time a week; as much as half an FTE just from this one security automation! And the increased blocking completeness and speed is a further risk reduction bonus.

My Advice for SOAR Workflow Builders?

Rapid7 InsightConnect is one of those tools that does not and should not exist in a vacuum. You actually need the support and involvement of your other IT teams to deliver maximum value. Get that buy-in! It’s a security orchestration tool. So orchestrating multiple people, processes and technology is what it’s there to do!

How to Accelerate Your SOAR Program to Full Speed in Less Than a Year

Post Syndicated from Ryan Fried original https://blog.rapid7.com/2022/09/21/how-to-accelerate-your-soar-program-to-full-speed-in-less-than-a-year/

How to Accelerate Your SOAR Program to Full Speed in Less Than a Year

Every new technology comes with a learning curve specific to your organization. First you learn the basics, then you accelerate. Rapid7’s offerings are no different.

As a Senior Information Security Engineer at Brooks, I have firsthand experience with this process. I oversaw the implementation of Rapid7’s security orchestration, automation, and response (SOAR) product, InsightConnect, within my organization. We went from zero to 20+ workflows in just one year. Here are some reflections and advice about setting up a SOAR program, through the lens of my story about that successful and innovative year.

Workflow 1: Let Rapid7 hold your hand

In a previous blog regarding our initial deployment of InsightConnect, I shared key advice about how to set up a SOAR tool and get the program started. Looking back on that successful process, I believe that you should start with a goal that’s manageable – and delivers immediate value to help prove and cement the value of the initiative. For example, a phishing-related workflow is a great place to start. But there are other options as well, depending on your organization’s needs. Consider the following questions:

  • What pain point within your organization presents an immediate need?
  • What processes do you already want or need to try to automate?

Consider your team’s key technologies as well, but as you think through these questions, approach the solution in a technology-agnostic way. Instead, focus on the process, which can usually be applied to multiple technologies, and the corresponding desired outcome.

After that, you’ll want to work with your security analysts (assuming you’re not the security analyst!) to determine their pain points as well. What are the most common alerts they get? Where do they spend the most time? Or my favorite question to ask, “What requires the most browser tabs?” Your immediate focus should be how to make their job easier and more efficient.

From there, lean heavily on Rapid7’s product resources and services, and especially existing workflows that you can find in the Rapid7 Extensions Library – this will cut your work in half.

Workflows 2 to 5: Integrate with Slack and Teams

Once you’ve gone live with your first workflow, continue to look to the Rapid7 Extensions Library for workflows you can download and adapt to your needs. Some of the best examples of that use Slack or Microsoft Teams as the primary interface – you can find them easily by searching for workflows by category. And when you find an appropriate workflow, don’t get caught up on the specific technologies in the workflow. Again, focus on the process that you’re automating – after all, blocking an IP on one firewall is essentially the same as blocking an IP on another firewall, as it’s just a matter of swapping the integration plugin.

A major reason I advise starting with Slack and Teams-related workflows is that they’re the most numerous in the library and are valuable to most organizations. But this is the point where buy-in from key stakeholders across your organization becomes essential. Work with whoever runs your Teams or enterprise Slack account to input the appropriate API keys – they’re an extended part of your security automation team.

From there, look into workflows for incident response and enrichment – again, in the extensions library. Searching Virustotal or forcing a password reset or revoking Office 365 access can be very useful areas of automation, since you likely conduct those processes a lot. They can take a lot of time because they often rely on other teams when integration and automations aren’t already in place. Since time is of the essence in a phishing-related compromise, they’re super impactful.

One reason response and enrichment workflows are so useful for Workflows 2 to 5 is that it helps you understand that SOAR is not just about full automation. In fact, it’s about supporting human decision-making. So many security decisions require human insight and experience to make the right decision. What SOAR can do is to automatically collect the necessary context, tee up the decision to the security analyst, and then broadly automate the execution of those decisions.

Workflows 6 to 10: Hone in on your analysts’ pain points

At this point, it’s going to become easier for you and your team to build and implement your own, more heavily customized workflows. You’ll understand things like decisions trees, loops, and markdown cards – essential tools to take your security automation workflows to the next level. You’ll then be prepared to start customizing more workflows specifically catered to the needs of your organization and your analysts. Start here:

  1. Find out what your analysts’ top 5 alerts are. They’ll likely be something along the lines of DNS, EDR, Firewalls, or email-related alerts.
  2. Return to the Rapid7 workflow library to find existing workflows you can adopt and customize to address those alert categories.

Expect to commit a couple of hours here and there over a couple of weeks to perfect each workflow to fit your organization. This may sound like a lot, but I promise – the lift isn’t too hard. The Rapid7 extensions library and tool does a lot of lifting for you!

Workflows 10 to 20: Take your workflows to the next level

Once you’ve implemented roughly 10 workflows, you’re ready to start honing in on specific pain points that likely require a bit more and customization – for example, ad-hoc actions for investigations like revoking active Office 365 sessions, searching for and deleting specific emails, or automatically blocking likely malicious URLs based on threat intelligence feeds you’re subscribed to.

The more you create, the more comfortable you’ll be  creating workflows from scratch. In my experience, by the time you get to 20 workflows, you should expect that you or a team member could get a typical workflow designed and shipped in 1 to 2 weeks, assuming they spend 4 to 8 hours a week on it. Check out two of my team’s prized custom workflows:

However, that’s not to say that you can’t still make existing workflows your own. It’s to your benefit to keep up with the latest developments in Rapid7’s marketplace. I check the marketplace every few weeks and subscribe to the newsletter for new workflows or plugins. I’ve also learned to use the plugin API to make custom API calls for plugins Rapid7 doesn’t yet have!

In my next blog, I’ll take a deeper dive into the why and how of high-value security automation workflows. I’ll also give you some insights into the benefits we’ve seen at Brooks thanks to our SOAR program.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Deploying a SOAR Tool Doesn’t Have to Be Hard: I’ve Done It Twice

Post Syndicated from Ryan Fried original https://blog.rapid7.com/2022/07/21/deploying-a-soar-tool-doesnt-have-to-be-hard-ive-done-it-twice/

Deploying a SOAR Tool Doesn’t Have to Be Hard: I’ve Done It Twice

As the senior information security engineer at Brooks, an international running shoe and apparel company, I can appreciate the  challenge of launching a security orchestration, automation, and response (SOAR) tool for the first time. I’ve done it at two different companies, so I’ll share some lessons learned and examples of how we got over some speed bumps and past friction points. I’ll also describe the key steps that helped us create a solid SOAR program.

At Brooks we selected Rapid7’s InsightConnect (ICON) as our security automation tool after a thorough product review. I was familiar with ICON because I had used it at a previous company. There are other SOAR tools out there, but InsightConnect is my preferred option based on my experience, its integrations, support, and Rapid7’s track record of innovation in SOAR. InsightConnect is embedded in everything we do now. We use it to slash analyst time spent on manual, repetitive tasks and to streamline our incident response and vulnerability management processes.

When you’re starting out with SOAR, there are two important things you need to put in place.

  • One is getting buy-in from your active directory (AD) team on the automation process and the role they need to play. At Brooks, we have yearly goals that are broken down into quarters, so getting it on their quarterly goals as part of our overall SOAR goal was really important.  This also applies to other areas of the IT and security organizations
  • The second is getting all the integrations set up within the first 30 to 60 days. It’s critical because your automation tool is only as good as the integrations you have deployed. Maybe 50% to 60% of them fall under IT security, but the other 30% or 40% are still pretty important, given how dependent security teams are on other organizations and their systems. So, getting buy-in from the teams that own those systems and setting up all the integrations are key.

Start with collaboration and build trust

A successful SOAR program requires trust and collaboration with your internal partners – essentially, engineering and operations and the team that sets up your active directory domain – because they help set up the integrations that the security automations depend on. You need to develop that trust because IT teams often hesitate when it comes to automation.

In conversations with these teams, let them know you won’t be completely automating things like blocking websites or deleting users. In addition, stress that almost everything being done will require human interaction and oversight. We’re just enriching and accelerating the many of the processes we already have in place. Therefore, it will free up their time in addition to ours because it’s accomplishing things that they do for us already. And remember we have the ability to see if something happened that may have been caused by the SOAR tool, so it’s automation combined with human decision-making.

For example, say something starts not working. The team asks you: “Hey, what’s changed?” With ICON up and running, you can search within seconds to see, for example, what firewall changes have happened within the last 24 hours. What logins have occurred? Are there any user account lockouts? I can search that in seconds. Before, it used to take me 15 to 30 minutes to get back to them with a response. Not any more. That’s what I call fast troubleshooting.

Meet with your security analysts and explain the workflows

Right from the beginning, it’s important to meet with your security analysts and explain the initial workflows you’ve created. Then, get them thinking about the top five alerts that happen most often and consume a lot of their time, and what information they need from those alerts. For instance, with two-factor authentication logs, the questions might be, “What’s the device name? Who’s the user’s manager? What’s their location?” Then, you can work in the SOAR tool to get that information for them. This will help them see the benefit firsthand.

This approach helps with analyst retention because the automation becomes the platform glue for all of your other tools. It also reduces the time your analysts have to spend on repetitive drudge work. Now, they’re able to give more confident answers if something shows up in the environment, and they can focus on more creative work.

Dedicate a resource to SOAR

I believe it’s important to have one person dedicated to the SOAR project at least half-time for the first six months. This is where teams can come up short. When the staff and time commitment is there, the process quickly expands beyond simple tasks. Then you’re thinking, “What else can I automate? What additional workflows can I pick up from the Rapid7 workflow marketplace and customize for our own use?”

Take advantage of the Rapid7 Extensions Library

The good news is you don’t need to build workflows (playbooks) from scratch. The Rapid7 Extensions Library contains hundreds of workflows which you can use as a core foundation for your needs. Then you can tweak the last 15% to 20% to make the workflow fit even better. These pre-built workflows get you off the ground running. Think of them not as ready-to-go tools, but more as workflow ideas and curated best practices. The first time I used InsightConnect, I used the phishing workflow and started seeing value in less than two weeks.

Implementing a security automation tool within a company’s network environment can be a challenge if you don’t come at it the right way. I know because I’ve been there. But Rapid7’s InsightConnect makes it easier by enabling almost anything you can imagine. With a SOAR solution, your analysts will spend less time on drudge work and more time optimizing your security environment. These are real benefits I’ve seen firsthand at Brooks. You can have them as well by following this simple approach. Best of luck.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.