Security Automation
In today's fast-paced digital landscape, ensuring robust security measures is paramount. Organizations increasingly turn to automation to bolster their security efforts as threats become more sophisticated. In this blog post, we will explore the world of security automation, its benefits, and how it can revolutionize how we safeguard our digital assets.
Security automation is utilizing technology to streamline and enhance security processes. It uses advanced algorithms, machine learning, and artificial intelligence to automate security tasks such as threat detection, incident response, and vulnerability management. By harnessing the power of automation, organizations can significantly reduce human errors, improve response times, and gain valuable insights into potential risks.
Table of Contents
Highlights: Security Automation
The Role of an Integrated Platform.
If you are only using scripting in the security automation world, it will only get you so far. Eventually, you will need a fully integrated platform with your security and network infrastructure. For secure automation, there are different types of platforms you can use. This post will address two different types.
Firstly, how Red Hat Tower can integrate and configure network and security devices—also, Splunk SOAR. The SOAR meaning is about abstracting complexity away with security-focused playbooks. This reduces repetitive work and the ability to respond to security events in a standardized way.
Platform Examples
Backing up configs and collecting logs is only a tiny part of automation. Red Hat Ansible Tower and Splunk SOAR have new ways to reach the most advanced use cases. For security automation, Splunk Security with Splunk SOAR has a security-focused application consisting of specially crafted playbooks for every security requirement.
For example, you can check the domain and file reputation or create your own. On the other hand, Red Hat Tower Ansible Architecture allows you to securely reach and support the most edge use cases with increased portability using execution environments and automation mesh. In addition, you can securely bring automation to the edge with a certain overlay functionality.
Related: For additional pre-information, you may find the following post helpful:
Security Automation |
|
Back to Basics: Security Automation
We can apply our knowledge of automation to different scenarios and workloads that revolve around security. For example, when tedious and everyday tasks are automated, individuals doing those tasks can focus on solving the security problems they are dealing with. This enables a whole new way of looking at how we learn about security, how much we can store, process, and analyze log data (DFIR), and how we can keep applying security updates without interruptions (security operations).
Understanding Security Automation
At its core, security automation involves using advanced technologies and intelligent systems to automate various security processes. It enables organizations to streamline security operations, detect real-time threats, and respond swiftly and effectively. From threat intelligence gathering to incident response and recovery, automation is pivotal in strengthening an organization’s security posture.
The Role of Automation | Security Automation Main Components Security Automation
|
♦ Key Benefits of Security Automation
a) Enhanced Threat Detection: By deploying intelligent monitoring systems, security automation can swiftly identify and respond to potential threats in real time. This proactive approach minimizes the risk of breaches and allows security teams to stay one step ahead of malicious actors.
b) Accelerated Incident Response: Manual incident response can be time-consuming and prone to delays. However, with security automation, incidents can be detected, analyzed, and remediated swiftly and accurately. Automated incident response workflows can help contain and mitigate security breaches before they escalate, reducing the impact on the organization.
c) Efficient Vulnerability Management: Identifying and patching vulnerabilities is critical to maintaining a secure infrastructure. Security automation tools can continuously scan networks, applications, and systems, providing organizations with real-time vulnerability assessments. This enables security teams to prioritize and address vulnerabilities promptly, reducing the window of opportunity for potential attackers.
Challenges and Implementation Considerations
While security automation offers numerous advantages, there are some considerations to consider. Organizations must carefully evaluate their existing security infrastructure, define clear objectives, and select the appropriate automation tools and technologies. Additionally, ensuring adequate training and collaboration between security teams and automation systems is essential to maximize the effectiveness of the automation process.
Continuous Adaptation and Updates
As cyber threats evolve, security automation solutions must stay up-to-date to counter new attack vectors effectively. Regular updates and continuous monitoring are necessary to ensure that automation systems are equipped to handle emerging threats.
Balancing Automation and Human Expertise
While automation brings numerous benefits, balancing automated security processes and human expertise is crucial. Human intervention is still essential for critical decision-making, advanced analysis, and addressing complex security challenges that may require contextual knowledge.
Security Automation: The World of Scripting
In the traditional world of security automation, it was common to use custom in-house automation frequently. As a result, we have a variety of self-driving scripting methods that solve specific short-term security problems. For example, for secure automation, you may need to collect logs from several devices for security. However, this is far from a scalable and sustainable long-term approach to an enterprise’s automation strategy.
With more self-maintained scripting tools and working in siloed, you are creating more security blind spots. With more point tools, you have to make more silos and potential security blind spots, which may trigger the adoption of more narrowly focused tools. The more tools you have, the less control over your environment that could easily open up the spread of lateral movements.
♦ The need for a security platform
For example, look at lateral movements in an Active Directory (AD) network. Lateral movements are a real problem, with some advances in lateral movement techniques being performed using Metasploit, Impact, and PurpleSharp. However, it can be hard to detect that this is a bad actor or a sys admin carrying out daily activities.
Once the bad actor stealthily navigates the network with lateral movements, they can compromise accounts, find valuable assets, and gradually exfiltrate data. All of which can be unnoticed with a below-the-radar style of attacks. A favored vector is to use DNS as a method to exfiltrate data. Therefore, DNS often needs to be checked.
SOAR meaning: A quick point.
In this case, you should integrate Splunk SOAR with User Behaviour Analytics (UBA) to detect deviations from the baseline. UBA works with unsupervised machine learning and builds profiles of entities on the network. Today’s attacks are distributed, and multiple entities are used to stage an attack.
An anomaly is sent once there is a significant deviation from normal entity behavior. Of course, an anomaly does not necessarily mean a threat. However, the anomaly can be combined with other network and infrastructure aspects to determine if a bad actor exists. So, for example, we would look at the time of day, frequency, or any other usual activity, such as privilege escalation techniques.
Video: SOAR and SIEM from Splunk
In this product demonstration, we are going to address Splunk Security. Specifically, we will look at the Splunk SIEM and Splunk SOAR. Both of these products are well integrated and abstract, and you have a lot of complexity with security. We will first look at today’s challenging landscape that security teams face.
And how you can use Splunk Products to overcome these challenges. In today’s infrastructure, we have a lot of tools spread around that are not well integrated, which will decrease your security posture.
Lack of Speed
Without integrated security tools with security automation and a lack of automated and orchestration processes. The manual response slows MTTR and increases the possibility of a successful threat. Bad actors can breach and exfiltrate data when the mean time to detect (MTTD) is too long.
So, the manual approach to detecting, triaging, and responding to threats must be faster. For example, Ransomware is quick; once the binaries are executed, it’s game over. It would help if you focused your efforts on the detection phase of the kill chain. And catch any lateral movements even when they pivot to valuable assets.
The Need for Security Automation
To address this challenge, you need a security solution that integrates its existing security products to reduce the response and remediation gap. In addition, these automation and orchestration events must be carried out across all its security vendors to consolidate response and remediation.
For secure automation, a unified and standard response to security can be made using pre-approved policies, consistently configuring resources according to pre-approved guidelines, and proactively maintaining them in a repeatable fashion.
Security-focused content collection
This provides a faster, more efficient, and streamlined way to automate the identification, triage, and response processes to security events. In addition, we can use security-focused content. In the case of Red Hat Tower, this comes in the form of collections of roles and modules dedicated to security teams.
Splunk SOAR also has secure-focused applications and content ready to use in the Splunk database. The pre-approved policies and playbooks of Ansible Tower and Splunk SOAR will reduce the chances of misconfiguration and speed up all aspects of security investigation.
Secure Automation and Orchestration
When a few waves of Malware target you, Phishing, Ransomware, and under-the-radar attacks, Automation and orchestration are the only ways to combat this, security automation does most of the work, so you no longer have to weed through and manually address every alert as it comes in or process every security action or task.
Level of automation maturity
For example, the level of automation you want to adopt depends on the maturity level of the automation you already have in our environments. If you are new to automation, you can have SOAR or Tower playbooks send an alert for further investigation. So, you can start with a semi-automated approach.
However, if you are further in your automation strategy, you can have different playbooks chained together to carry out a coherent security detection and response. It’s easy to do this in SOAR with a playbook visualizer, and Ansible Tower has workflow templates that can be used with role-based access control.
Red Hat Tower: How to Start
In most organizations, we have IT operations and a security team. These teams have traditionally disjoint roles and responsibilities. The IT Operations are hardening systems, managing the infrastructure, and deploying and maintaining systems. The security operations team would track ongoing threats, Intrusion Detection/Prevention, and perform firewall management activities.
Ansible has a common language.
With these two disjointed teams, we can use Ansible as the common automation language for everyone across your organization. Specifically, Red Hat Tower can be the common language between security tools and can be used for various security use cases that can bring the two teams together.
Red Hat Tower: Security Automation
Red Hat Tower can orchestrate security systems using a series of curated security collections of modules, roles, and playbooks to investigate and respond to threats using trusted content. This enables you to coordinate your enterprise security systems to perform several security duties, such as investigation enrichment, threat hunting, and incident response.
So, you can integrate Red Hat Tower with your security infrastructure here. And have pre-approved playbooks ready to run upon threat detection. So, for example, a playbook can be automatically triggered on the results of a security scan. The following lists some of the use cases for Ansible Tower playbooks.
Secure Automation: Security Patching
You could start with patching. Not patching your servers is one of the biggest causes of breaches. Automated patching boosts system security and stability, improving uptime. And this will be noticed straight away.
Secure Automation: System Hardening
Then, activities such as system hardening are something everyone can do for all systems. With automation, we can rapidly identify systems that require patches or reconfiguration. Then, it is easier to apply patches or change system settings consistently across a large number of systems according to defined baselines. For example, make changes to your SSH config.
Here, you can use automation to configure the SSH daemon, not to allow authentication using an empty password. You can run these playbooks in check mode so those that don’t require full automation rights can run checks safely. Again, I would combine this with role-based access control.
Secure Automation: Network Configuration
For network management, you can configure an ACL or filter to restrict ACL or filter management access to the device from only the management network. You can also use automation to lock down who has managed to access specific subnets.
Secure Automation: Firewall Integration
If an increase in incident management tickets is due to incorrect firewall rules causing an increase in change requests, aim to reduce the number of tickets or change requests through automation. For our Firewall integration, the role of automation can speed up policy and log configuration changes.
For example, we can add an allowlist entry in the firewall configuration to allow traffic from a particular machine to another.
We can automate a playbook that adds the source and destination IPs as variables. Then, when a source and destination object are defined, the actual access rule between those is defined.
Secure Automation: Intrusion Detection and Prevention Systems
Tower can simplify the rule and log management for your intrusion detection and prevention systems. Automation can be used to manage IDPS rules, and IDPS roles are offered. These roles can work with multiple IDPS providers, so the corresponding playbook needs to have a variable stating the actual IDPS provider.
Once the role is imported, and this is the first step, the new IDPS rule is handed over via defined variables:
Secure Automation: Privileged Access Management (PAM) Tools
Ansible Tower can streamline the rotation and management of privileged credentials to automate the prevention. So we can streamline credential management, which is hard to do manually.
Secure Automation: Endpoint Protection
Automation can simplify everyday endpoint management tasks, integrate into Endpoint Protection, and provide event-driven detection, quarantining, and remediation.
Advanced Red Hat Tower Features
Job Templates vs. Workflow Template
When creating a job template, we choose a job or workflow template. We choose the job template if we want to be able to develop simple employment out of this template. However, creating more complex jobs composed of multiple job templates, with flow control features between one position and the next, is possible with a workflow template. This workflow template can also be integrated into your CI/CD pipelines and Jenkins.
Security Benefits
This makes it easier to have playbooks that are job templates from different teams. This is used in large environments, so multiple job templates are connected. Then, complex interactions between jobs can be defined in a workflow before the next job starts, depending on the previous position. Any inventory and any credentials can be used. So, it brings a lot of flexibility to automation.
In its multi-playbook workflows, the user can create pipelines of playbooks to be executed in sequence on any inventory using one or more users’ credentials. Security teams can configure a series of jobs that share inventory, playbooks, or permissions to automate investigations or remediations fully, bringing a lot of consistency and security benefits.
Ansible Tower and Scheduling
With Ansible Tower, we have Templates with the Launch feature; think of this as an ad hoc way to run Ansible for one of the tasks. However, if you are using Tower, you should use Schedules to control your automation better. For example, you may have a maintenance window when you apply changes. Here, we can set the times and frequency of playbook runs.
Scheduling this playbook in Tower will automatically refresh systems significantly out of spec, including calling back into Tower to apply our basic configuration once new instances are spun up with the provisioning callback feature. I find this useful for dynamic cloud environments.
Video: Ansible Tower For Beginners
In this product demonstration, we will review the critical components of Ansible Tower and its functionality. Ansible Tower is a considerable step up from the Ansible CLI you may have used with Ansible Core.
We will discuss the autonomy of an automaton job that shares similar objects when using the CLI but has considerable differences, such as Job Templates, better Credentials management, and inventory that you may have encountered with Ansible CLI and Ansible Tower Projects.
GitHub for Playbooks
GitHub is all about version control, so multiple people can work on different types of code and review and merge changes. So, it’s all about managing change in your other environments. So when Red Hat Tower runs the playbooks, it checks the URL specified in your playbooks, and it’s here we can have multiple options that can enhance your GitHub integrations, such as webhooks and personal access tokens.
Benefits: Removes Inconsistency of Playbooks
This is an important feature to enable as if you don’t have it checked; there is the possibility that someone notices a problem in a playbook and fixes it, then they run the playbook feeling sure that they are running the latest version. Someone must remember to run the synchronization task before running the playbook, effectively running the older version. Therefore, when using this option, we are removing the inconsistency of playbooks. So, increasing your security posture is very important. A lot of security breaches first start with a simple misconfiguration.
SOAR for Automation: SOAR Meaning
SOAR Meaning
The difference between that attack being a routine annoyance versus a catastrophic event comes down to the robustness of a product and the technologies you choose to adopt. Splunk has several products that can help you here—ranging from the Splunk SIEM to the Splunk SOAR. There are also several Observability products, all of which are well-integrated and can assist you with security automation.
Customers can solve their primary SIEM use cases using Splunk Enterprise and Splunk Cloud, core Splunk platforms that provide collection, indexing, search, and reporting capabilities. So, the Splunk SIEM collects or ingests the machine data and can make this available to the Splunk SOAR.
Splunk SOAR Meaning
Splunk SOAR drives accuracy and consistency in the incident response process. With SOAR, workflows can be orchestrated via integrations with other technologies and automated to achieve desired outcomes. Utilizing automation with Splunk SOAR can dramatically reduce the time to investigate malware alerts, driving accuracy and consistency across its incident response processes.
SOAR and Phantom
SOAR is the rebranding of Phantom but has multi-deployment options. Phantom was just on-premise, but now we have both on-premise and on-cloud delivery. Consider SOAR as a layer of connective tissue for all security operations.
So, it needs to automate the decision-making and acting. SOAR can take proceeds and take them into playbooks so we can create complex security operation workflows.
So we have an extensive collection of security-focused SOAR applications that interact with the API of existing security and network infrastructure, such as your Firewalls, to support activities such as containment and recovery. We’ll talk about these in just a moment.
Automation Broker
We have an Automation Broker, a modified version of Splunk SOAR with reduced features, so it’s a reverse proxy for automation actions. The Automation Broker is a docker container that uses an encrypted and outbound connection from Splunk Cloud SOAR to the customer premises. It would help to open inbound ports to the perimeter firewall, as the communication is set outbound on the firewalls.
SOAR Meaning: Security-Focused Playbooks
Instead of manually going into other security tools and injecting data, enrich logs and carry out actions such as blocking or manual analysis intervention. SOAR playbooks can be used. You can have several security-focused playbooks that automatically carry out the tasks. The SOAR playbook can automate many repetitive duties. For example, you no longer have to respond manually to repetitive incidents. For example, you can have Splunk SOAR respond to malicious emails with playbooks.
Actions based on the Playbooks
Then, we could have a list of actions based on playbook results. This could include additional investigation tasks or notifying users. Finally, when you want to push the boundaries of automation, we could have several steps to isolate or quarantine hosts depending on the results of the previous playbooks, which would be integrated with multi-factor authentication to ensure the action is appropriately authorized.
Additionally, over 800 other security-related apps on Splunkbase with pre-built searches, reports, and visualizations for specific third-party security vendors. These ready-to-use apps and add-ons help monitor security, a next-generation firewall, and advanced threat management capabilities. You can even build your custom application, from monitoring and Observability to improving safety.
SOAR Meaning: SOAR Apps
So you are using many tools from many vendors, and when you respond, each one of these tools does a different event, and each tool does another function. Splunk integrates with all devices with API, and SOAR can directly integrate all tools to act in a specific sequence.
So it can coordinate all security actions. With SOAR, you don’t get rid of your existing tools; instead, SOAR can sit between them and abstract a lot of complexity.
Think of Splunk as the conductor that supports over 350 apps. They have tools to build apps; you can create your own if it has an API. In addition, it can perform over 2000 actions. SOAR apps are Python modules that collect events from anything, SIEM, and then normalize the information and make them available to playbooks.
SOAR Meaning: Example: SOAR playbooks
So, we have a network-based sandbox to detect malware that can enter via email. So, an Alert is received from SIEM, sent to SOAR, and triggers a playbook. SOAR communicates back to SIEM to query Active Directory to identify who is there and which department, and based on that, SOAR can query Carbon Black to see how the threat lives.
Finally, the SOAR can notify an analyst to intervene and double-check the results manually. This could take 30 mins by hand, but SOAR can do it in 30 seconds.
Let’s look at another SOAR playbook in action. A Splunk SOAR playbook is triggered when an email malware alert is received. Due to the lack of context in these alerts, Splunk SOAR’s first order within the playbook is to query the security information and event management (SIEM) solution for all recipients, then Active Directory to collect context from all affected users’ profiles, business groups, titles, and locations.
- A key point: SOAR means with workbooks and phases
Another name for a playbook is the SOAR workbook. Each workbook can have several phases, and each phase can have tasks to carry out our security actions. In this scenario, there will be one phase. And several playbooks in a single step. Some playbooks can be triggered automatically, and some are invoked manually.
Then, some are being gathered manually but will have prompts for additional information. These tasks will be semi-automatic because they can automatically import data for you and enrich events. Furthermore, they can import this data and enhance events from several platforms.
Splunk and Lateral Movements
You can have playbooks to hunt for lateral movements. There are many ways to move laterally in active directory networks. For example, Psexec is a sysadmin tool that allows admins to connect to other machines and perform admin tasks remotely. However, what if psexec is used to gain a remote shell or execute a PowerShell cradle on a remote device? When looking for lateral movement, we identify processes connecting remotely to a host.
To start a threat investigation, we could have a playbook to conduct an initial search for a known lateral movement activity. There is a wealth of information in Windows security logs. The playbook can look for authentication events over the network from rare or unusual hosts or users.
Event Window Code
For example, in a Windows event log, you would see a Windows event code for successful login, another log for a network connection, and another for privilege escalation events. Each event doesn’t mean much by itself but indicates a threat together. For example, here you can see that someone has used an admin account to connect over the network from a particular host and gained command-line access to a victim host.
Splunk SOAR’s visual playbook editor
Splunk SOAR comes with 100 pre-made playbooks, so you can start automating security tasks immediately and hunt for lateral movements. To simplify life, we have a Splunk SOAR visual playbook editor that makes creating, editing, implementing, and scaling automated playbooks easier to help your business eliminate security analyst grunt work.
SOAR Meaning: Splunk Intelligence Management (TruSTAR) Indicator Enrichment
Then, we have a Splunk Intelligence Management (TruSTAR) Indicator Enrichment. This playbook uses Splunk Intelligence Management normalized indicator enrichment, which is captured within the notes of a container, for an analyst to view details and specify subsequent actions directly within a single Splunk SOAR prompt for a manual response.
SOAR Meaning: Crowdstrike Malware Triage
There is a Cowdstrike Malware Triage. This playbook walks through the steps performed automatically by Splunk SOAR to triage file hashes ingested from Crowdstrike and quarantine potentially infected devices.
SOAR Meaning: Finding and Disabling Inactive Users on AWS Splunk SOAR’s
Then, there are playbooks specific to cloud environments. Finding and Disabling Inactive Users on AWS Splunk SOAR’s orchestration, automation, response, collaboration, and case management capabilities are available from your mobile device.
Summary: Security Automation
In today’s rapidly evolving digital landscape, ensuring the security of our online presence has become paramount. With the ever-increasing number of cyber threats, organizations and individuals alike are seeking efficient and effective ways to protect their sensitive information. This is where security automation steps in, revolutionizing the way we defend ourselves from potential breaches and attacks. In this blog post, we explored the concept of security automation, its benefits, and how it can fortify your digital world.
Section 1: Understanding Security Automation
Security automation refers to the process of automating security-related tasks and operations, reducing the need for manual intervention. It involves utilizing advanced technologies, such as artificial intelligence and machine learning, to streamline security processes, detect vulnerabilities, and respond to potential threats in real-time.
Section 2: Benefits of Security Automation
2.1 Enhanced Threat Detection and Response:
By leveraging automation, security systems can continuously monitor networks, applications, and user behavior, instantly detecting any suspicious activities. Automated threat response mechanisms allow for swift actions, minimizing the potential damage caused by cyber attacks.
2.2 Time and Cost Efficiency:
Automation eliminates the need for manual security tasks, freeing up valuable time for security teams to focus on more critical issues. Additionally, by reducing human intervention, organizations can achieve significant cost savings in terms of personnel and resources.
Section 3: Strengthening Security Measures
3.1 Proactive Vulnerability Management:
Security automation enables organizations to proactively identify and address vulnerabilities before they can be exploited by malicious actors. Automated vulnerability scanning, patch management, and configuration checks help maintain a robust security posture.
3.2 Continuous Compliance Monitoring:
Compliance with industry standards and regulations is crucial for organizations. Security automation can ensure continuous compliance by automating the monitoring and reporting of security controls, reducing the risk of non-compliance penalties.
Section 4: Integration and Scalability
4.1 Seamless Integration with Existing Systems:
Modern security automation solutions are designed to seamlessly integrate with a variety of existing security tools and systems. This allows organizations to build a comprehensive security ecosystem that works harmoniously to protect their digital assets.
4.2 Scalability for Growing Demands:
As organizations expand their digital footprint, the security landscape becomes more complex. Security automation provides the scalability required to handle growing demands efficiently, ensuring that security measures keep pace with rapid business growth.
Conclusion:
Security automation is a game-changer in the world of cybersecurity. By harnessing the power of automation, organizations can bolster their defenses, detect threats in real-time, and respond swiftly to potential breaches. The benefits of security automation extend beyond cost and time savings, providing a proactive and scalable approach to safeguarding our digital world.
