How to Develop a SOAR Workflow to Automate a Critical Daily Task

Last updated at Tue, 15 Nov 2022 22:06:39 GMT

As the senior information security engineer at Brooks, an international running shoe and apparel company, I can appreciate the challenge of launching a security orchestration, automation, and response (SOAR) tool for the first time as well as investing your time and budget into making a new security platform your own. I’ve been working with Rapid7 for years now, and I have become a kind of evangelist for the user-friendly, low-code workflows that make SOAR a joy to manage and an important efficiency driver in our security program.

In this blog post, the third in a series of how-to guides on getting going with SOAR in general and with Rapid7 InsightConnect in particular, I’ll provide an overview of my experience developing a URL Blocking workflow to fit my organization’s specific needs – and perhaps those of your organization as well!

A Workflow to Automatically Block URLs in Multiple Systems

I built this workflow to address two very common use-cases:

• A user reports receiving a phishing email that does, in fact, contain a suspicious link.
• We learn about phishing or other scams from threat intelligence sources that leverage external links.

Upon learning about a suspected malicious link, our team needs to conduct an investigation to decide what to do about it – historically this was a manual three-step process:

1. Investigate the link and associated domain by pulling in threat intelligence from multiple sources to see what is known about it.

2. If determined to be malicious, block the URL and potentially the whole domain in our email security system, our DNS filter and our firewalls/VPN.

3. Figure out who, if anyone in our organization, clicked the link and move to further steps in the response.

As you can imagine, executing each of these steps manually can take a significant amount of time. Now, imagine conducting this process multiple times a day – while time is the enemy. Also, what if your security team experiences turnover? For example, on my team, we recently lost an analyst and gained another. We needed reliable and repeatable processes that any analyst can execute with minimal training.

That’s where a workflow like this becomes so useful! New analysts don’t need to know all the places to block a URL in our organization. By executing a single workflow from Microsoft Teams, the malicious URL is guaranteed to be blocked, in all the necessary places, every time. In addition, the workflow can determine if someone previously went to that link, and thus whether a given user or endpoint requires further investigation.

This was difficult and time consuming to do manually. I estimate the process consumed 30-60 minutes of analyst time, each time. To conduct this investigation manually, you must go to each log source, search for the URL, and update the local policies to block it going forward. With the workflow I built, it becomes an instant process that only requires a minute or two of review after execution. It’s no wonder my security analyst team asked for this workflow specifically.

Want to see it in action? Check out this short video.

How Did I Develop this SOAR Workflow?

The best and easiest place to start for many SOAR workflows is with your Chatapps – I started with Microsoft Teams, but you can use Slack as well, it doesn’t really matter. Both are great for facilitating communications with select staff members, initiating SOAR workflows, and presenting the results.

Next, use Rapid7 plugins (how Rapid7 InsightConnect integrates into 3rd-party systems) to connect to the IT and security systems your organization uses and that are required for your particular automation workflow. Then, put your logic, human decision, and communication points into the workflow.

Once the workflow is complete, you’ll still need to do some testing to make sure it works as designed. There are always little things – for example, certain plugins like different formats. For example, a DNS plugin just requires a domain, whereas for a firewall, you’ll need to use the entire URL when searching logs and updating block lists. The same goes for email security platforms. Start small and build out the logic as you get more comfortable with the approach and receive feedback from your user group.

How long did it take to get this URL blocking workflow up and running?

This URL-blocking workflow has about 15 steps or so. I put together the bones of it in a day or two, with just a few hours of total effort. Input validation and testing was the longest part of the process, but it was no more than a week from start to finish to get this particular workflow out the door. And donating it to the InsightConnect community also took very little effort.

The key here is to not be afraid to keep testing and iterating. When in doubt, don’t hesitate to reach out via the Discuss Community to ask for advice.

Using this SOAR-based automation, it takes less than a minute to block a malicious URL everywhere it needs to be blocked. Previously, it could take 40 minutes to an hour from start to finish. We run this workflow 10-20 times in a typical week. So, that saves between 7-20 hours of analyst time a week. This single workflow saves nearly half a full-time employee’s time! And the increased blocking consistency and speed is a further risk reduction bonus.

My Advice for SOAR Workflow Builders?

Rapid7 InsightConnect is one of those tools that does not and should not exist in a vacuum. You actually need the support and involvement of your other IT teams to deliver maximum value. Get that buy-in! It's a security orchestration tool. Orchestrating multiple people, processes and technology is what it’s for!