How To Embrace Runbook Automation of Repeatable Tasks
Runbook automation is the process by which you define, build, orchestrate and manage workflows to support your cybersecurity operations, focusing on the automation of repetitive tasks that allow you to speed up your incident response times while becoming more consistent in your response approach and execution.
We commonly see this type of automation in the IT world wherever lots of sysadmins run large amounts of infrastructure. Over the last couple of years, however, we have seen the requirement for runbook automation in SOAR platforms dramatically increase as CSOC analysts get to grips with the scale of incidents they must respond to. Beyond basic connectivity, data flow and automated outputs, the more advanced SOAR platforms provide for more advanced automation. For example, they process orchestration across different tools and technologies, as well as case management.
I spoke to a CSOC Director at a large financial services business in the US, asking him what his team focused on for CSOC automation. He told me that they first focused on the tasks that their analysts spent the most time on.
As alerts come in for analysis, usually from the firewall, network, IDS and other sources, the initial identification phase requires sifting through a large amount of data, mostly noise, which then leads to follow up tasks for an analyst to perform. Most of these processes are standard and have probably already been documented. This makes alert identification and correlation the low hanging fruit of runbook automation.
Analysts need to investigate activities in the environment to validate legitimate incidents underway – but a limitation is security and forensic analysts availability. The number of analysts in your CSOC does not scale well. As a result, during the initial investigation and triage stage, runbook automation is a fantastic way to get ahead of the curve.
With some technology solutions, reports generation is automatic. Others are assembled manually after manual investigative effects, and putting these together can consume a lot of an analyst’s time. By automating the process of report generation with runbook automation, you can dramatically cut down on the time analysts spend on reporting, allowing them to focus on more important tasks in the CSOC.
When looking towards runbook automation of repeatable tasks, CSOC directors are demanding some, if not all, of the following functionality to help them improve their workflows.
CSOC teams want to be able to automate their standard operating procedures as much as they possibly can, instead of merely triggering a remediation action. To accomplish these CSOC teams align their automated actions with runbooks. Some SOAR platforms enable this by providing either a GUI based configuration panel or command line tools that allow analysts to automate their triage, investigation and remediation activities and most SOAR vendors provide runbook templates or pre-canned runbooks for their customers.
Many CSOC’s are still using traditional case management and ticket systems, but these tools are very often inadequate for a CSOC analysts needs, with analysts very often requiring transparent communications channels between the CSOC and IT operations in order to support shared processes. Leveraging runbook automation in case management requires central management capabilities to initiate, communicate and monitor the CSOC’s activities throughout the lifecycle of incidents and events.
The modern CSOC with an eye on runbook automation requires process orchestration to work across their different tool sets. For example, an investigation process often involves fetching the data, analyzing the data, working out the incidents and who it affected, then communicating the results to the right people, before taking the right actions to remedy the incident. To get this right means that a CSOC needs to well document their process and have the right tools which integrate with each other to make it happen, meaning that your cybersecurity produces need open API’s and solid developer support.
I spoke to the CEO of SOAR vendor CyberSponse Joseph Loomis, asking him how SOAR has evolved into playbook management in recent years. He told me “Open source playbooks are the future, sharing recipes of these playbooks is the only way to scale and ensure the industry actually can respond to threats as quickly as they are created. The community shared approach is becoming almost started and through the Incident Response Consortium, this provides the forum and the audience to see this approach scale to market and break all the rules of traditional playbook development.”
How to choose a SOAR platform with runbook automation
When deciding which SOAR platform to use for your CSOC, there are some important considerations that need to be taken into account before making choices that may impact operations.
The number of integrations that a SOAR platform can handle is probably the most important factor to consider when choosing a SOAR platform, as most of the tools you will use in a CSOC rely on the use of APIs to perform automation activities. The more integrations a SOAR platform can accommodate in the areas of endpoint security, network security, antimalware, identity management and forensics, the higher the chance that integration and ongoing management efforts will run smoothly. Messaging and communications tools are also important integrations to consider, allowing teams to communicate across different units in response to a threat.
Event management tool alignment
Because event management tools are usually implemented with some sort of defensive motivation in mind, it means that you have to automate detection, response and investigation tasks, and processes. It also means integrating with a SIEM tool – this is where all event management in a CSOC takes place. You need to carefully consider how events are passed between different toolsets and reported when considering runbook automation.
Implementation & ease of use
Some SOAR platforms and runbook automation tools are GUI-driven, with well-designed and thought-out runbook creation tools. Others, on the other hand, force analysts to use a command line which isn’t ideal as analysts should not be grepping a command line to look for information during an incident. The creation and monitoring of runbooks and their workflows should be fluid, with collaboration between team members and reporting baked into the platform for easy execution by analysts.
Ultimately, runbook automation can never replace skilled and experienced analysts who know their environment and know how to properly react when an incident takes place. Some runbook automation tools offer pre-built workflow libraries for specific incident types and this can help jump-start the runbook automation process for teams desperate to implement automation.
While the breach landscape is ugly and getting uglier by the day, CSOC teams need to start detecting and responding faster than ever before and unless a CSOC implements automation in one way or another, it’s unlikely that they will ever get ahead of incidents.
Post provided to you by @InfosecScribe