SprwLabs
Headless Automation
/sprw-labs-attempt-2/pexels-nathan-j-hilton-10023003-if8f0.jpg)
While our favorite holiday is Halloween, this article sadly has nothing to do with the Headless Horsemen. Instead we will focus on how we stop security teams from being scared and overwhelmed.
Security teams are constantly challenged to do more with less. When a security team acquires a SOAR, they do not always have a staffing plan associated with it. SOAR tools are not a set it and forget it tool. Instead they require constant tuning and attention. One of the ways we increase value from SOAR without increasing staffing is to focus on headless automation.
With headless automation, it’s possible to make a positive impact on your security operations without consuming more of your team’s time. Headless automation is a method of automating security
processes without requiring human intervention. This can include anything from
notifications to fully automated alert triage, allowing your security
operations to reap the benefits of automation without burdening your team.
We’ll discuss various use cases that can have a quick time-to-value and are
easy to deploy, as well as how to overcome any potential challenges with
access, permissions, and anxiety about automation.
Let's take a look at a few headless automation use cases:
Asset Verification
Does your CMDB match your EDR? Does your CMDB match your vulnerability scanner? Are all of your public IPs listed in your CMDB? Do you have an endpoint tool on all of your hosts? Validating IT documentation and security controls is a great use of SOAR. For example, here is a list of actions we've taken in the past:
- Enumerate AD for computer objects and OU
- Enumerate all systems communicating to ALL EDR tools
- Enumerate all systems communicating to Vulnerability scanner
- Enumerate all systems communicating to micro segmentation solution
- Enumerate all systems communicating to XDR
- Enumerate all systems communicating to SCCM
Administrative Privilege
Do you verify your servers and laptops do not have administrative privilege's on any local workstation? That server admin configured it for that one task and never removed it? Let's write a quick hunt to verify you under ? Have you confirmed all of your administrative accounts
- Enumerate all PCs in Active Directory
- Access each PC and verify local administrators
- Search logs for previous administrative login events
- Verify all administrative accounts form Active Directory are in the Privilaged Identity Management Solution (PAM)
Vulnerability Verification
Do you scan all of your assets? How confident are you? Most organizations commit to performing an authenticated scan on every endpoint. Let's verify you are! Since we already verified the CMDB is accurate, we will assume that is our source of truth.
- Iterate over all assets in your CMDB
- Lookup asset in vulnerability scanner
- Verify asset has been scanned within the last 30 days
Most of these use cases are straight forward and make a great place to start implementing SOAR. All of these use cases can be implemented with any major SOAR such as Swimlane, Siemplify (Chronicle SOAR), XSOAR, or Splunk SOAR. There are countless other headless use cases that can empower your team. Reach out to us and let us help you implement SOAR without burdening your team.