Automating security processes and workflows can help teams lower Mean Time To Resolution (MTTR), maintain or strengthen an organization’s security posture, and drive operational efficiency. Sounds pretty good, right?
In our recent Cloud Security Use Cases Playbook, we took a look at the key operational processes that all teams should have in place and some of the ways they can continually optimize those processes over time. Today, let’s take a look at how automation can provide ongoing, deep visibility and supercharge your security operations, all while saving you time and resources.
Areas Ripe for Automation
At Threat Stack, we advise organizations to: Automate Everything. The fewer moving pieces humans touch, the fewer opportunities there are for things to get messed up. Of course, automating “everything” is a huge task, so you’ll want to bite off a few specific areas to get started. Then, set up a plan for slowly but surely automating everything you can.
Here are five examples of areas within your environment that are perfect candidates for early automation from a security point of view.
1. Alert Severity Levels
Security tools should be used to prioritize alerts into high, medium, or low severity. That way, instead of being bombarded with alerts and risking the possibility of alert fatigue, humans can take appropriate and timely action according to priority.
For example, SecOps teams need to know if unauthorized packages are introduced into production environments. Good operations teams are careful to install and maintain packages in the golden AMI that developers instantiate in production. But any unauthorized installs can increase the attack surface of production environments.
To avoid this, your security tools should be set up to automatically generate medium severity alerts on any unauthorized package installs in production. You can then review them each business day, and take action as necessary. It’s possible someone simply forgot to get the right authorization ahead of time, but it could also be a sign of an attempted attack.
Lower severity alerts should be reviewed weekly. High severity alerts should be reviewed by someone pretty much as soon as they come in.
2. User Provisioning and Deprovisioning
Per security best practices, users should never be added to or removed from workloads directly on production systems. Why? In a continuous development infrastructure, developers and operations personnel should never directly interact with a system as in manually adding or removing users. It simply introduces too much opportunity for human error.
Instead, you should add or delete users from workloads during deployment using automated tools. This is good low-hanging fruit for automation.
3. Troubleshooting and Enumeration Tools
Troubleshooting and enumeration tools are another area where security should be automated.
Did you know that security tools like tcpdump, netcat, and wireshark are often used by exploits for data exfiltration? Talk about biting the hand that feeds you! For this reason, these tools should never be used in production as part of generic tooling.
To combat this and similar problems, your security solution should automatically monitor the installation and use of all security tools in production environments on a weekly basis. A filter can be used to flag these instances and catch suspicious activities that may indicate an attempted malware attack.
If someone gets on to your servers with the goal of doing something malicious, they could easily use security tools against you. So you want to know whenever a new one is added or when anything out of the ordinary happens.
4. Permission Changes on Files
Permission changes on files can often be an indicator of an exploit. For this reason, file permissions should never be edited manually on host machines. If this happens, it could be an indicator that an unauthorized file has been downloaded and a user or script has attempted to execute it.
Rather than leaving the job of permissions up to a person, automate as much of this as possible. Additionally, you should set up alerts so that anytime permissions are changed, you receive a notification.
5. User Privilege Escalation
Similarly, SecOps teams must monitor and control privilege escalations in production because these can be early indications of a breach — specifically of an insider threat.
Operations teams take a great deal of care to ensure that configuration files are structured in a specific fashion, and configuration tools help manage any changes to these files. Therefore, any unauthorized changes to configuration files should be considered a security issue.
Again, rather than doing this manually, automate the escalation of new privileges in production environments using configuration management scripts. If you must escalate privileges manually, inform operations teams so they won’t be alarmed if an alert pops up.
Automation for Unique Workflows
Of course, every organization has unique security requirements and challenges. So, in addition to the common areas listed above, your organization will probably have some unique or specialized use cases. Are you in an industry plagued by phishing attacks? Better deploy regular user training and effective alerting protocols. Is your team distributed around the world, or do you use a lot of contractors for development? Ensuring that user (de)provisioning goes off without a hitch will be the key to making sure no unauthorized access takes place.
Every organization is different, but the same workflows are often needed on a regular basis, so automating customized workflows can help streamline security operations. For example, Threat Stack’s webhook API integration makes it easy for teams to automatically trigger alerts and quarantine the related instance until a team member can address and resolve the issue.
Automation can be used to generate custom notifications and actions to be taken based on the severity level of a threat. This will ensure that no one has to sit at an alert dashboard all day long making rote decisions and that the opportunity for human error is minimized. This saves valuable time and ensures that no major threat slips through the cracks.
Treat Security With the Seriousness It Requires
Many of the most important security best practices can be automated, and our motto is: If you don’t automate it, it won’t get done. Machines should spend time doing what they do best (catching anomalies and compiling the information needed for investigation) so humans can focus on doing what they do best (analyzing for context and deciding the best course of action).
Of course, as we’ve said, you should never attempt to boil the ocean. You will want to tackle automation in chunks, and the guidelines above should help you get started.
And remember, many security tools can help you do this. In addition to providing automated monitoring and alerting, Threat Stack can help you automate many of the tasks described above. All of this ensures that valuable time is not wasted and that every security incident is treated with the seriousness it requires.
To learn more about best practices for cloud security, download a free copy of our recently published Cloud Security Use Cases Playbook.