In the rapidly evolving landscape of cybersecurity, the ability to swiftly and effectively respond to security alerts is paramount. Traditional manual processes for handling malware threats are often time-consuming and prone to human error, leading to delayed responses and potential security breaches. To address these challenges, integrating automated workflows that seamlessly connect various security tools has become essential.
The Challenge: Manual Security Alert Management
Security teams frequently encounter several hurdles when managing malware alerts:
– Manual Response to Alerts: Each alert from platforms like CrowdStrike requires individual attention, leading to inefficiencies.
– Alert Enrichment: Adding contextual information to alerts to assess their severity often involves time-consuming manual research.
– Device Owner Identification: Determining the owner of the affected device to coordinate remediation efforts can be cumbersome.
– Communication and Escalation: Notifying device owners and escalating critical issues to on-call teams typically involves multiple steps and tools.
These manual processes not only consume valuable time but also increase the risk of errors, potentially leaving organizations vulnerable to security threats.
The Solution: Automated Workflow Integration
To streamline the management of security alerts, Lucas Cantor at Intercom developed a comprehensive workflow using Tines, a workflow orchestration and AI platform. This solution integrates multiple tools to automate the entire process of ticket creation, device identification, and threat triage.
Key Components of the Workflow:
1. CrowdStrike: Serves as the endpoint detection and response (EDR) platform, generating security alerts.
2. Oomnitza: An IT asset management platform used to retrieve detailed information about the devices involved in the alerts.
3. GitHub: Functions as the repository for creating and managing tickets related to security incidents.
4. PagerDuty: Handles incident management by notifying on-call analysts of critical issues.
5. Slack: Facilitates communication with device owners and team members regarding security incidents.
Workflow Overview:
Part 1: Initial Alert Handling
– Alert Detection: The workflow begins by detecting new security alerts from CrowdStrike.
– Device Identification: It then identifies the specific device associated with the alert and retrieves its details from Oomnitza.
– Ticket Creation and Notification: A corresponding ticket is created in GitHub, and a notification is sent to a designated Slack channel.
– Owner Notification:
– Low Priority Alerts: If the alert is deemed low priority and the device has an assigned owner, a message is sent to the owner via Slack, requesting further action or escalation if necessary.
– High Priority Alerts: For high priority alerts, the workflow automatically creates an event in PagerDuty to notify the on-call analyst and informs the device owner of the ongoing issue.
Part 2: User Interaction and Escalation
– User Response Handling: The workflow monitors for responses from the device owner in Slack.
– Ticket Enrichment: Based on the owner’s response, the GitHub ticket is updated with additional information.
– Escalation: If the device owner escalates the issue, another event is created in PagerDuty to alert the on-call analyst for immediate attention.
Benefits of the Automated Workflow:
– Reduced Remediation Time: Automation significantly decreases the time required to respond to and resolve security alerts.
– Enhanced Communication: Device owners are promptly informed, ensuring they are aware of and can act on security issues affecting their devices.
– Clear Escalation Pathways: The workflow establishes defined procedures for escalating critical issues, ensuring they receive the necessary attention.
– Centralized Management: By integrating various tools into a cohesive workflow, security teams can manage incidents more effectively from a single platform.
Implementing the Workflow: Step-by-Step Guide
1. Accessing Tines:
– Log into your Tines account or create a new one if you haven’t already.
2. Importing the Pre-Built Workflow:
– Navigate to the Tines library and select the pre-built workflow developed by Lucas Cantor.
– Click on Import to add the workflow to your account.
3. Setting Up Credentials:
– Configure the necessary credentials for the integrated tools:
– CrowdStrike: Set up API access to retrieve security alerts.
– Oomnitza: Establish a connection to access device information.
– GitHub: Configure repository access for ticket creation.
– PagerDuty: Set up integration to manage incident notifications.
– Slack: Connect to the appropriate channels for communication.
4. Configuring Workflow Actions:
– Customize the workflow actions to align with your organization’s specific requirements, such as defining what constitutes a low or high priority alert.
5. Testing the Workflow:
– Conduct thorough testing to ensure the workflow operates as intended, accurately detecting alerts, identifying device owners, and facilitating communication and escalation.
6. Deployment:
– Once testing is complete and the workflow is validated, deploy it within your organization’s security operations to enhance alert management efficiency.
Conclusion
By automating the processes of ticket creation, device identification, and threat triage, security teams can significantly improve their response times and reduce the likelihood of human error. The integration of tools like Tines, CrowdStrike, Oomnitza, GitHub, PagerDuty, and Slack into a cohesive workflow enables a more efficient and effective approach to managing security alerts. Implementing such automation not only streamlines operations but also strengthens an organization’s overall security posture.
