If you are only using scripting in the security automation world, it will only get you so far. Eventually, you will need a fully integrated platform with your security and network infrastructure. For secure automation, there are different types of platforms you can use. This post will address two different types. Firstly, how Red Hat Tower can integrate and configure network and security devices. Also, Splunk SOAR. The SOAR meaning is about abstracting complexity away with security-focused playbooks. This reduces repetitive work and the ability to respond to security events in a standardized way.
Backing up configs and collecting logs is only a tiny part of automation. Red Hat Ansible Tower and Splunk SOAR have new ways to reach the most advanced use case. For security automation, Splunk Security with Splunk SOAR has a security-focused application consisting of specially crafted playbooks for every security requirement. You can check domain and file reputation or even create your own from scratch. On the other hand, Red Hat Tower Ansible Architecture allows you to securely reach and support the most edge use cases with increased portability using execution environments and automation mesh. In addition, you can securely bring automation to the edge with a secure overlay functionality.
- A key point: Video for Ansible Tower and the use of templates
In the following video, we will go through the critical components of Ansible Tower and its use of Templates. Tower’s workflow and job templates can fulfill several security automation use cases. We will look at the different job template parameters you can use to form an automation job that you can deploy to your managed assets.
Security Automation: The World of Scripting
In the traditional world of security automation, it was common to use custom in-house automation frequently. As a result, we have a variety of self-driving scripting methods that solve specific short-term security problems. For example, for secure automation, you may need to collect logs from several devices for security. However, this is far from a scalable and sustainable long-term approach to an enterprise’s automation strategy.
With more scripting tools that are self-maintained and working in siloed, you are creating more security blind spots. With more point tools, you have to create more silos and potential security blind spots, which may trigger the adoption of more narrowly focused tools. The more tools you have, the less control over your environment that could easily open up the spread of lateral movements.
The need for a security platform
For example, look at lateral movements in an Active Directory (AD) network. Lateral movements are a real problem, with some of the advances in lateral movement techniques being performed using Metasploit, Impact, and PurpleSharp. However, it can be hard to detect that this is a bad actor or a sys admin carryout out daily activities. Once the bad actor stealthily navigates the network with lateral movements, they can compromise accounts, find valuable assets, and gradually exfiltrate data. All of which can be unnoticed with a below-the-radar style of attacks. A favored vector is to use DNS as a method to exfiltrate data. DNS often goes unchecked.
- SOAR meaning: A quick point.
In this case, you should integrate Splunk SOAR with User Behaviour Analytics (UBA) to detect deviations from the baseline. UBA works with unsupervised machine learning and builds profiles of entities on the network. Today’s attacks are distributed, and multiple entities are used to stage an attack. Once there is a significant deviation from normal entity behavior, an anomaly is sent. An anomaly does not necessarily mean a threat. But the anomaly can be combined with other network and infrastructure aspects to determine if a bad actor is present. So, for example, we would look at the time of day, frequency, or any other usual activity, such as privilege escalation techniques.
Lack of Speed
Without integrated security tools with security automation and a lack of automated and orchestration processes. The manual response slows MTTR and increases the possibility of a successful threat. Bad actors can breach and exfiltrate data when the mean time to detect (MTTD) is too long. The manual approach to detecting, triaging, and responding to threats needs to be faster. For example, Ransomware is quick; once the binaries are executed, it’s game over. So it would help if you focused your efforts on the detection phase of the kill chain. And catch any lateral movements even perform they pivot to valuable assets.
The Need for Security Automation
To address this challenge, you need a security solution that could tie together its existing security products to reduce the response and remediation gap. In addition, these automation and orchestration events must be carried out across all its security vendors and consolidate response and remediation. For secure automation, a unified and standard response to security can be made using pre-approved policies, consistently configuring resources according to pre-approved policies, and proactively maintaining them in a repeatable fashion.
Security-focused content collection
This provides a faster, more efficient, and streamlined way to automate the processes for the identification, triage, and response to security events. In addition, we can use security-focused content. In the case of Red Hat Tower, this comes in the form of collections of roles and modules dedicated to security teams. Splunk SOAR also has secure-focused applications and content ready to use in the Splunk database. The pre-approved policies and playbooks of Ansible Tower and Splunk SOAR will reduce the chances of misconfiguration and speed up all aspects of security investigation.
Secure Automation and Orchestration
When a few waves of Malware target you, Phishing, Ransomware, and under-the-radar attacks, Automation, and orchestration are the only ways to combat this. Security automation does most of the work, so you no longer have to weed through and manually address every alert as it comes in or processes every security action or task.
- Level of automation maturity
For example, the level of automation you want to adopt depends on the maturity level of the automation you already have in our environments. If you are new to automation, you can have SOAR or Tower playbooks send an alert for further investigation. So you can start with a semi-automated approach. However, if you are further in your automation strategy, you can have different playbooks chained together to carry out a coherent security detection and response. It’s easy to do this in SOAR with a playbook visualizer, and Ansible tower has workflow templates that can be used with role-based access control.
Red Hat Tower: How to Start
In most organizations, we have IT operations and a security team. These teams have traditionally disjoint roles and responsibilities. The IT Operations are hardening systems, managing the infrastructure, and deploying and maintaining systems. While the security operations team would track ongoing threats, Intrusion Detection/Prevention, and carry out any firewall management activities.
- Ansible has a common language.
With these two disjointed teams, we can use Ansible as the common automation language for everyone across your organization. Specifically, Red Hat Tower can be the common language between security tools and can be used for various security use cases that can bring the two teams together.
Red Hat Tower: Security Automation
Red Hat Tower can orchestrate security systems using a series of curated security collections of modules, roles, and playbooks to investigate and respond to threats using trusted content. This enables you to coordinate your enterprise security systems to perform several security duties, such as investigation enrichment, threat hunting, and incident response.
So, you can integrate Red Hat Tower with your security infrastructure here. And have pre-approved playbooks ready to run upon threat detection. So, for example, on the results of a security scan, a playbook can be automatically triggered. The following lists some of the use cases for Ansible Tower playbooks.
- Secure Automation: Security Patching
You could start with patching. Having your servers patched is one of the biggest causes of breaches. Automated patching boosts system security and stability, improving uptime. And this will be noticed straight away.
- Secure Automation: System Hardening
Then activities such as system hardening are something everyone can do for all systems. With automation, we can rapidly identify systems that require patches or reconfiguration. Then, more easily apply patches or change system settings according to defined baselines in a consistent manner across a large number of systems. For example, make changes to your SSH config.
Here you can use automation to configure the SSH daemon, not to allow authentication using an empty password. You can run these playbooks in check mode so those that don’t require full automation rights can run checks safely. Again, I would combine this with role-based access control.
- Secure Automation: Network Configuration
For network management, you can configure an ACL or filter to restrict ACL or filter management access to the device from only the management network. You can also use automation to lock down who has managed to access specific subnets.
- Secure Automation: Firewall Integration
If an increase in incident management tickets is due to incorrect firewall rules causing an increase in change requests, aim to reduce the number of tickets or change requests through automation. For our Firewall integration, the role of automation can speed up policy and log configuration changes. For example, we can add an allowlist entry in the firewall configuration to allow traffic from a particular machine to another.
We can have a playbook that first adds the source and destination IPs as variables. Then when a source and destination object are defined, and afterward, the actual access rule between those is defined. All can be done with automation.
- Secure Automation: Intrusion Detection and Prevention Systems
For your Intrusion detection and prevention systems, Tower can simplify the rule and log management. Automation can be used to manage IDPS rules, and IDPS roles are offered. These roles can work with multiple IDPS providers, so the corresponding playbook needs to have a variable stating the actual IDPS provider. Once the role is imported, and this is the first step, the new IDPS rule is handed over via defined variables:
- Secure Automation: Privileged Access Management (PAM) Tools
Ansible Tower can streamline the rotation and management of privileged credentials to automate the prevention. So we can streamline credential management which is hard to do manually.
- Secure Automation: Endpoint Protection
Automation can simplify everyday endpoint management tasks, integrate into Endpoint Protection, and provide event-driven detection, quarantining, and remediation.
Advanced Red Hat Tower Features
Job Templates vs. Workflow Template
When creating a job template, we choose a job or workflow template. We choose the job template if we want to be able to create simple jobs out of this template. With a workflow template, it is possible to create more complex jobs composed of multiple job templates, with flow control features between one job and the next. This workflow template can also be integrated into your CI/CD pipelines and Jenkins.
This makes it easier to have playbooks that are job templates provided by different teams. This is used in big environments, so we have multiple job templates connected. Then in a workflow, complex interactions between jobs can be defined before the next job is started depending on the previous job. Any inventory and any credentials can be used. So it brings a lot of flexibility to automation.
In its multi-playbook workflows, the user can create pipelines of playbooks to be executed in sequence on any inventory using one or more users’ credentials. Security teams can configure a sequence of jobs that share inventory, playbooks, or permissions to automate investigations or remediations fully, bringing a lot of consistency and security benefits.
Ansible Tower and Scheduling
With Ansible Tower, we have Templates with the Launch feature; think of this as an ad hoc way to run Ansible for one of the tasks. However, if you are using Tower, you should use Schedules to control your automation better. For example, you may have a maintenance window when you apply changes. Here we can set the times and frequency of playbook runs.
Scheduling this playbook in Tower will automatically refresh systems significantly out of spec, including calling back into Tower to apply our basic configuration once new instances are spun up with the provisioning callback feature. I find this useful for dynamic cloud environments.
GitHub for Playbooks
GitHub is all about version control, so you can have multiple people on different types of code and review and merge changes. So it’s all about managing change in your different environments. So when Red Hat Tower runs the playbooks, it checks the URL specified in your playbooks, and it’s here we can have multiple options that can enhance your GitHub integrations. Such as webhooks and personal access tokens.
- Benefits: Removes Inconsistency of Playbooks
This is an important feature to enable as if you don’t have it checked; there is the possibility that someone notices that there is a problem in a playbook and fixes it, then they run the playbook feeling sure that they are running the latest version. Someone must remember to run the synchronization task before running the playbook, effectively running the older version. Therefore when using this option, we are removing the inconsistency of playbooks. Therefore increasing your security posture. A lot of security breaches first start with a simple misconfiguration.
SOAR for Automation: SOAR Meaning
The difference between that attack being a routine annoyance versus a catastrophic event comes down to the robustness of a product and the technologies you choose to adopt. Splunk has several products that can help you here—ranging from the Splunk SIEM to the Splunk SOAR. There are also several Observability products, all of which are well-integrated and can assist you with security automation.
Customers can solve their primary SIEM use cases using Splunk Enterprise and Splunk Cloud, which are core Splunk platforms, providing collection, Indexing, search, and reporting capabilities. So the Splunk SIEM collects or ingests the machine data and can make this available to the Splunk SOAR.
Splunk SOAR Meaning
Splunk SOAR drives accuracy and consistency in the incident response process. With SOAR, workflows can be orchestrated via integrations with other technologies and automated to achieve desired outcomes. By utilizing automation with Splunk SOAR, you can have dramatically reduced time to investigate malware alerts, driving accuracy and consistency across its incident response processes.
SOAR and Phantom
SOAR is the rebranding of Phantom but has multi-deployment options. Phantom was just on-premise, but now we have both delivery on-premises and on-cloud. Consider SOAR meaning a layer of connective tissue for all security operations. So it needs to automate the decision-making and acting. SOAR can take proceeds and takes them into playbooks so we can create complex security operation workflows.
So we have an extensive collection of security-focused SOAR applications that interact with the API of existing security and network infrastructure, such as your Firewalls, to support activities such as containment and recovery. We will discuss these in just a moment.
We have an Automation Broker, a modified version of Splunk SOAR with reduced features, so it’s a reverse proxy for automation actions. The Automation Broker is a docker container that uses an encrypted and outbound connection from Splunk Cloud SOAR to the customer premises. It would help if you had inbound ports open to the perimeter firewall, as the communication is set outbound on the firewalls.
SOAR Meaning: Security-Focused Playbooks
Instead of manually going into other security tools and injecting data, enrich logs and carry out any actions such as blocking or manual analysis intervention. SOAR playbooks can be used. You can have several security-focused playbooks that automatically carry out the tasks. The SOAR playbook can automate many repetitive tasks. For example, you no longer have to respond manually to repetitive incidents. For example, you can have Splunk SOAR respond to malicious emails with playbooks.
- Actions based on the Playbooks
Then we could have a list of actions based on playbook results. This could include additional investigation tasks or notifying users. Finally, when you want to push the boundaries of automation, we could have several steps to isolate or quarantine hosts depending on the results of the previous playbooks, which would be integrated with multi-factor authentication to ensure the action is appropriately authorized.
Additionally, over 800 other security-related apps on Splunkbase with pre-built searches, reports, and visualizations for specific third-party security vendors. These ready-to-use apps and add-ons help monitor security, a next-generation firewall, and advanced threat management capabilities. You can even build your custom application, from monitoring and Observability to improving security.
SOAR Meaning: SOAR Apps
So you are using many tools from many vendors, and when you respond, each one of these tools does a different event, and each tool does a different function. Splunk integrates with all tools with API, and SOAR can directly integrate all tools to act in a specific sequence. So it can coordinate all security actions along with all tools. So with SOAR, you don’t get rid of your existing tools, but soar can sit in the middle of these tools and abstract a lot of complexity.
Think of Splunk as the conductor that supports over 350 apps, they have tools to build apps, and you can build your own as long as it has an API. In addition, it can perform over 2000 actions. SOAR apps are python modules that can collect events from anything, SIEM, and then normalizes the information and makes them available to playbooks.
- SOAR Meaning: Example: SOAR playbooks
So we have a network-based sandbox to detect malware that can enter via email. So an Alert is received from SIEM, sent to SOAR, and triggers a playbook. SOAR communicates back to SIEM to query Active Directory to identify who is there and which department, and based on that, SOAR can query Carbon Black to see how the threat lives. Finally, the SOAR can notify an analyst to intervene and double-check the results manually. This could take 30 mins by hand, but SOAR can do it in 30 seconds.
Let’s look at another SOAR playbook in action. A Splunk SOAR playbook is triggered when an email malware alert is received. Due to the lack of context in these alerts, Splunk SOAR’s first order within the playbook is to query the security information and event management (SIEM) solution for all recipients, then Active Directory to collect context from all affected users’ profiles, business groups, titles, and locations.
- A key point: SOAR meaning with workbooks and phases
Another name for a playbook is the SOAR workbook, and each workbook can have several phases, and each phase can have tasks to carry out our security actions. In this scenario, there will be one phase. And several playbooks in a single phase. Some playbooks can be triggered automatically, and some are invoked manually. Then some are being invoked manually but will have prompts for additional information. These tasks will be semi-automatic because they can automatically import data for you and enrich events. Furthermore, they can import this data and enrich events from several platforms.
Splunk and Lateral Movements
You can have playbooks to hunt for lateral movements. There are many ways to move laterally in active directory networks. Psexec is a sysadmin tool that allows admins to connect to other machines and carry out admin tasks remotely. However, what if psexec is used to gain a remote shell or execute a PowerShell cradle on a remote machine? When looking for lateral movement, we identify processes connecting remotely to a host.
To start a threat investigation, we could have a playbook to conduct an initial search for a known lateral movement activity. There is a wealth of information in Windows security logs. The playbook can look for authentication events over the network from rare or unusual hosts or users.
Event Window Code
For example, in a window event log, you would see a windows event code for successful login, another log for a network connection, and another for privilege escalation events. Each of these events doesn’t mean much by itself, but together they indicate a threat. Here you can see that someone has used an admin account to connect over the network from a particular host and gained command-line access to a victim host.
Splunk SOAR’s visual playbook editor
Splunk SOAR comes with 100 pre-made playbooks, so you can start automating security tasks immediately and hunt for lateral movements. To simplify life, we have a Splunk SOAR visual playbook editor that makes it easier to create, edit, implement and scale automated playbooks to help your business eliminate security analyst grunt work.
- SOAR Meaning: Splunk Intelligence Management (TruSTAR) Indicator Enrichment
Then we have a Splunk Intelligence Management (TruSTAR) Indicator Enrichment. This playbook uses Splunk Intelligence Management normalized indicator enrichment, which is captured within the notes of a container, for an analyst to view details and specify subsequent actions directly within a single Splunk SOAR prompt for a manual response.
- SOAR Meaning: Crowdstrike Malware Triage
There is a Cowdstrike Malware Triage. This playbook walks through the steps performed automatically by Splunk SOAR to triage file hashes ingested from Crowdstrike and quarantine potentially infected devices.
- SOAR Meaning: Finding and Disabling Inactive Users on AWS Splunk SOAR’s
Then there are playbooks specific to cloud environments. Finding and Disabling Inactive Users on AWS Splunk SOAR’s orchestration, automation, response, collaboration, and case management capabilities are available from your mobile device.