Enter just about any office today and you’ll hear teams typing away on their keyboards, chatting through a tool such as Slack. Chances are, many of these teams are also leveraging what’s called ChatOps, or conversation-driven collaboration. If you’re reading this post, you’ve probably started to hear about the ways in which ChatOps can be extended to many security use cases.
Leveraging a central communication hub like Slack, teams have been able to increase security visibility, automate tasks, and respond to incidents faster. Naturally, we see many use cases for security ChatOps‚ in fact, and as we use it ourselves on a daily basis.
In this post, we’d like to explain the three most common ways companies like yours can leverage ChatOps orchestration and automation for security.
Distributed Security Alerting
- An employee notices something strange and raises a flag
- A third party contacts the company because they notice something strange
- Hackers contact the company because they want you to notice something strange
- Or they simply don’t know they’ve been hacked...
None of these scenarios is ideal, and they don’t always happen in real time, either. With ChatOps, teams can leverage a chatbot that can hook in notifications from your various security tools, enabling your team to unify security alerting in one platform for complete visibility.
Using ChatOps automation, you can take this a step further by enabling a bidirectional flow of information between Slack and your other tools. Even better, you can design particular workflows to notify different stakeholders based on the type and severity of alert, allowing the right people to be notified faster.
Automate Alert Validation
Sometimes alerts fire when a routine task or update happens, but it can often be difficult to determine when that is the case vs. when there is a real threat at hand. Using ChatOps, you can verify whether an alert is in fact a threat requiring investigation or is something pedestrian and harmless, like a new server your IT manager spun up or an employee who simply forgot their password and is trying to get back into their account.
When an alert fires and shows up in Slack, for example, you can ping members of your team in real-time to validate whether the alert was caused by them or not (such as multiple log-in attempts from anomalous locations). Or if they want to be more proactive, team members can ping their teams when they’re about to make a change that they know will fire an alert so they can move past it rather than spend time investigating a benign “issue.”
This alone can make security operations much more efficient. With less time spent investigating false alerts, there’s more time to spend on the real ones.
Automate Enrichment Tasks
When there is a real threat at hand, there are many tasks that need to happen, often in parallel, in order to respond effectively and efficiently. As we’ve shown before, automation can accelerate time-to-response by over 80 percent, and ChatOps can play a big role in that.
Leveraging ChatOps automation (which can be done using a platform like Komand), you can automate processes, such as the querying of logs and lookups, directly from Slack. That way, the moment an alert is verified as requiring investigation, you can set into motion an entire workflow to enrich and investigate the alert — and in far less time than it would take to do so manually.
Komand’s ChatOps functionality allows you to kick off enrichment workflows and report the finding all from Slack so you never have to leave the Slack console and also don’t have to spend time jumping from tool to tool, piecing together information. With less tools to wrestle with and more time to focus on the strategic work, your team can become measurably much more efficient.
ChatOps: Better Communication, Better Collaboration
We’ve seen firsthand how ChatOps can transform a security team. And we hear from more and more companies every week who are frustrated with the lack of visibility into security events, disjointed workflows, and communication that happen as a result of disconnected tools, alerts, and team members.