Today’s security teams are receiving an average of 12,000 security alerts per day. Bouncing between tools when SIEM alerts roll in every day is mind-numbing work that disguises the value of Tier 1 cyber analysts. Orchestration and automation solutions can help you accelerate detection by enriching the quality of the security alerts you receive and automatically weeding out many false positives. 

Automatically enrich your security alerts with important information, such as geo-IP lookups, domain analysis, malware detonation, and more. Orchestrate your favorite threat intelligence platforms, or use a variety of free and open source tools to ensure your team is equipped with the context they need to take action. This will give your team more time and greater context to tackle actual threats. 

Key outcomes of alert enrichment include:

• Enrich alerts with intel on threat indicators such as hashes, IPs, domains, and more
• Several threat intel sources can be “daisy-chained” without needing to copy and paste indicators into multiple websites or the command line
• You can save time and enjoy enriched context by automating end-to-end analysis & remediation
  

Technologies: WhoIs, VirusTotal, Recorded Future, Anomali, Cisco Umbrella, Team Cymru, Threat Quotient

Existing Workflows: OSINT & Recorded Future

When it comes to KPIs, time is paramount. Teams are always striving to reduce the time between security alert generation and resolution down to a theoretical null. A Distributed Alerting strategy avoids alert fatigue and staffing issues in the SOC by immediately bringing up alerts into the Slack instance of the person who generated it. Augmented with multi-factor authentication (MFA), analysts spend less time dealing with multiple alerts and more time triaging true positives due to a better signal-to-noise ratio.

Distributed alerting streamlines business operations, resulting in more collaboration and efficiency. For example, you can trigger actions to push alerts, incident notifications, comments, and other data  to solutions like JIRA or Slack. Automation can also deliver alerts that come in from your security tools straight into your chat applications, as well as delegate tasks back to other connected tools. Such integrations allow your team to maintain maximum uptime without having to be physically present in the SOC to keep your organization safe. In short, distributed alerting allows you to:

• Work out of your ChatOps solutions and prevent the need to jump into dozens of tools
• Sync your automated activities with your organization’s ITSM or Case Management tools
• Build custom alert pathways and notifications with your comms stack
  
  

Technologies: MS Teams, Slack, Jira, SNOW, PagerDuty, SMTP, Duo Auth, Okta Auth

Existing Workflows: Malicious Hash Remediation with CB Response, Suspicious User Login with IDR and Slack Chatops

Compromised user credentials are a common thread among security incidents and breaches—across both organizations and threat actors. User containment workflows help you disrupt the attacker’s kill chain by preventing them from using compromised user credentials for infiltration and lateral movement. Some highlights of such a use case include:

• Organizations can take low-risk actions immediately such as password reset to drop mean-time-to-response (MTTR)
• Analysts can enjoy direct access to a “kill switch” to block all access points from a compromised user
• Users & their managers can be directly lopped into security processes, so that all employees share responsibility for remediation and recovery

Technologies: Active Directory/LDAP, Azure AD, AWS IAM, Okta, Duo, Office 365
Existing Workflows: User Containment

Endpoint containment is a key strategy for endpoint threat detection and response. With automation, you can quickly quarantine a threat by disconnecting a vulnerable endpoint from your network—as soon as a critical alert is generated. Endpoint containment empowers your team to:

• Query endpoint logs and identify suspicious process start/stop times and parents
• Run AV scans to remediate by removing malware and malicious artifacts
• Ban hashes to locally and globally prevent running malware

Technologies: Cylance, Symantec, Crowdstrike, SentinelOne, VMWare, Cb EDR, Trend Micro

Existing Workflows: Asset Quarantine and Blacklist Hash

Firewall technologies are essential to an organization’s security posture, but are often a pain to manually manipulate. Automatic configuration changes, as well as ChatOps workflows that allows teams to protect against threats without leaving Slack or Microsoft Teams, are a game-changer. 

Firewall Containment can empower your security operations team to:

• Check the block status of a specific host or IP
• Pull down existing firewall policies and modify them at will to block malicious IPs and hosts
• Leverage next-gen firewall technologies to block malicious URLs identified through phishing investigations

Technologies: Fortinet Fortigate, Palo Alto Panorama, Checkpoint NGFW, Sonicwall, Cisco ASA [Coming Soon], Cisco Sourcefire [Coming Soon]

Existing Workflows: Firewall Blocks

Threat hunting is time consuming and demands a highly technical skill set that most organizations, for better or worse, have to consider a luxury. According to a recent SANS Institute study, only 31% of organizations have staff dedicated to hunting threats. But being proactive in this area can enable your analysts to better uncover and defend against complex advanced persistent threats (APTs)—which are almost guaranteed to succeed and can allow hackers to wreak widespread havoc. Automation lowers the barrier to threat-hunting as well as bolsters your team’s ability to compete with today’s most-capable adversaries. 

Rapid7’s platforms allow you to:

• Operationalize disparate data sets: Hunting is not just time-intensive; it’s also unbounded. The more data sets you are able to analyze, the more thorough your proactive search for compromise will be. Add additional tools to your data set without adding substantial time to your hunt cycle.
• Automate repeatable tasks: Automating ongoing tasks,, such as recurring scans, means your team will have more time to do what they do best: find and thwart the bad guys. Bring team members into this process strategically for maximum efficiency.
• Notify and respond faster: Create and kick off designated response workflows based on the type of threat you’ve discovered. This ensures that you follow proper protocol, your stakeholders are notified as quickly as possible, and that everyone works from the same set of data. In short, a complete end-to-end investigation.

Technologies: Splunk

Existing Workflows: Splunk App SSH Alert IP Enrichment

Security teams are bogged down by an overabundance of ransomware, viruses, spyware, and more. Automating the investigation and containment of malware gets the job done before it does significant damage to your network. Here are some key features of this workflow:

• Identify malicious activity: It’s important to know how to spot and stop malware in a timely manner to reduce the spread of infection. Automate these processes to identify indicators like misspelled process names or abnormal log activity.
• Investigate the threat: When malware is detected, you can leverage workflows to analyze it using plugins from today’s leading malware analysis solutions as well as common sandbox tools, such as Cuckoo. This means you can investigate malicious files in a safe space, before they get into your network.
• Containment and removal: All malware will require some type of containment/removal action. You can leverage automation to identify the affected users and assets, leaving decision points for security practitioners to remove the necessary user accounts, isolate the malware, or disconnect machines from the network.

Technologies: VirusTotal, Hybrid Analysis, Cuckoo, Palo Alto Wildfire, VMRay, Cortex, JIRA

Who Should be Thinking about Automation?

Effectively leveraging SIEM and SOAR solutions starts with understanding the day-to-day problems your team faces. Any SOC that can pinpoint the pain points in their established workflows —and is willing and able to address them—should consider an automation solution. Believe it or not, organizations of all sizes and from countless industries can see improvements to both their efficacy and efficiency with SOAR + SEIM. Over 8,500 customers rely on Rapid7’s platforms such as InsightConnect and InsightIDR to improve security outcomes and securely advance their organizations.

Not surprisingly, InsightConnect offers a growing library of over 300 integrations. We recognize Insight products are far from the only tools in your team’s tech stack, after all. The specific technologies your team relies on may be as diverse as our customer base. That’s why any and all of these can be swapped out or “daisy-chained” together based on your team’s needs—no coding required. That means many different needs can be met for many kinds of organizations –with relative ease. That’s a lot of upside.

When is the Right Time to Think about Automation?

Automation is a journey, not a destination. It’s important to remember that SOAR + SIEM require some customization and regular maintenance. They will make your job easier and your organization safer, but your team must have the will, bandwidth, and appetite to make some adjustments as well as regularly monitor a new framework. 

Furthermore, every SOC has a unique set of needs and resources, as well as their own special risk tolerance. The learning curve that’s inherent to any SaaS could lead to some inconvenience, or even disruption. Kinks will be sorted out, insights will inspire new ideas, and easy wins will lead to more complex workflows. This is why it’s critical to establish an incremental plan for your team’s automation journey. Start small and win big!

Finally, as with any transition, your whole team needs to be all in on this adventure—all stakeholders should understand your goals, so that everyone can reap the rewards. It’s probably not difficult to illustrate to your team how certain processes could be more efficient, but if anyone needs more convincing, just remind them that Rapid7 is here for you. You won’t ever feel alone. Whether you need to sketch out your first workflow or sort out a complex challenge, we’re your partners on your automation journey.

How Does Rapid7 Support SOC Automation?

Rapid7 offers two key solutions on as part of its InsightCloud platform to support SOC Automation:

• Rapid7’s threat-focused Security Incident & Event Management (SIEM) platform, InsightIDR, addresses all of the major pain points listed earlier -- visibility, alert fatigue, and response time. It unifies diverse data sets across modern environments, and turns that data into insights, resulting in early and reliable detection and analytics. InsightIDR includes built-in automation workflows for containment, such as quarantining assets and disabling users; ticketing integrations for streamlined incident response processes between teams; and investigation enrichment.
  
  
• InsightConnect, Rapid7’s Security Orchestration and Automation Response (SOAR) solution, accelerates and streamlines time-intensive processes for security teams -- no code needed. This frees up analysts to tackle other challenges, while still leveraging their expertise when it’s most critical. It’s a centralized hub within your security program, connecting your teams and tools, so that you can go from overwhelmed to operating at maximum efficiency in no time. 

The bottom line is that together, Rapid7’s SOAR and SIEM platforms improve visibility, reduce alert fatigue, automate containment, and improve investigation handling -- a complete solution for the needs of a modern security operations team.

Hilltop Holdings

Hilltop Holdings, a mid-sized financial services holding company, is a great example of an automation success story. They have subscribed to InsightIDR specifically for log collection, because they realized that user behavioral analytics was no longer just nice-to-have—it became a requirement. They next signed onto InsightConnect to automate, for example, the phishing email triage process.

In a Q&A with Rapid7 from 2020, Hilltop’s Director of Security Operations, Andrew Edwards, remarked on the value that the combination of InsightConnect and InsightIDR holds. “In a space like security operations, it’s incredibly valuable to have that single pane of glass,” he shared. “You waste time trying to navigate multiple platforms in order to administer or respond to threats or gain insight into what’s going on within the environment. It reduces your time to respond, and it reduces your time to detect or contain. And all of those solutions integrate into each other so that you can see a more holistic view of what’s going on if you’re using a single platform.”

According to Edwards, Hilltop’s team has reduced the amount of time spent on phishing triage from 77 hours a week to 3 minutes! “The only time we spend is digesting the data that has come out of the reporting solution in order to make a determination on whether it’s malicious spam or legitimate,” he recalled, illustrating how his team’s expertise is not only still essential to Hilltop’s security, but put to much better use.

But Hilltop isn’t stopping there. “I would like to leverage InsightConnect in the future to integrate or bridge the gap in between our firewalls and our detection solution, or our monitoring solution, or our endpoint security solution, to be able to share threat intelligence and IoCs across multiple platforms,” remarked Edwards.

Hillwood Development

Hillwood Development is a commercial real estate firm that develops and acquires premier industrial properties across North America and Europe. They have used InsightConnect and InsightIDR to make their security operations more fluid, as part of a broader effort to achieve integration, automation, and orchestration.

Like Hilltop, Hillside is very happy with the ability of Rapid7’s platforms to integrate and simplify diverse technologies. “InsightIDR does a great job of taking the logs from our other solutions to not only ingest them but alert them or utilize the data for user behavior analytics,” Tony Hamil, a Senior Cybersecurity Engineer for Hilltop, explained in another blog post. “This has allowed us to use InsightIDR as our source of truth for alerts, data, and user activity so we can quickly figure out what’s going on. And now that InsightConnect integrates with InsightIDR, I can see whether a user has done lateral movement and can disable them or kick them off the network, giving us more capabilities on the same platform without the need to jump through multiple platforms.”

One of Hillwood’s greatest achievements with InsightConnect addresses one of their biggest challenges -- user and asset management. “When employees join or leave our company, we needed to onboard and offboard them from an IT and security perspective,” Edwards indicated. With InsightConnect, that entire process has been automated at Hillwood -- everything happens seamlessly.

“Our success is determined by if we lost any data, revenue, or reputation. If that hasn’t happened, I consider that a success,” concluded Edward. “And since we have Rapid7’s products, these issues are usually stopped or blocked before anything malicious happens."

More Info

• How Rapid7’s Orchestration and Automation Solution Boosted a Higher Education Security Team’s Effectiveness
• InsightConnect Customer Hendrick Automotive Group Benefits from Integrations and Alert Triggers