Playbook Series: Don’t Just Integrate, Orchestrate

Today’s post continues an ongoing series on Playbooks, which Phantom uses to automate and orchestrate your security operations plan.  The spotlight Playbook for today covers malware analysis and investigation with Cisco’s AMP Threat Grid and other products.

Automating your security technologies to work the way you want is still a bit visionary, but orchestration is not. Nowadays, we have too many security problems to manage, as discussed here in a blog about The Security Patchwork Problem. Security products have been built to address a very specific niche, and you end up having 40-60+ technologies to manage just to ensure you’re maintaining confidentiality and integrity.

Take a malware analysis tool, or sandbox, for example. They are generally a standalone tool that sits on a network TAP or SPAN, operated by a security analyst who uses it to identify and block malware from entering the network. Unfortunately, most of the alerts produced are ignored according to one ESG study. That’s pretty much the extent of it. Little to no remediation, and it doesn’t talk to other tools that you have, such as firewalls, proxies, or even a SIEM, to say it has blocked a specific domain, IP, or hash based on analysis. AMP Threat Grid was built with a very robust REST API that allows users to automate sample submissions and retrieve results. But what if you want to go further and automate your entire workflow from detection through analysis to blocking and remediation? Without heavy scripting that hasn’t really possible, until now. Orchestration has been a core tenant of DevOps engineers since the get go.

Now it’s time for security to come out of the dark ages of manual investigation and adopt orchestration. Phantom allows you to quickly and seamlessly create a playbook for a specific action to be taken with technologies like Threat Grid. The integration has a lot of basic functionality that can automate actions from Threat Grid including

  • File submission
  • Report retrieval
  • URL submission

Sound pretty good so far? It gets a lot better. Instead of just automating the submission and retrieval of suspect files, you can go all the way through your workflow in a very automated way.  For example, your security analysts are tired of continually updating the email gateway rules due to all the phishing attempts and you want to streamline the process. Here is how the integration of Threat Grid and Phantom could play out:

TG Playbook.png

  • Look up file hash in Cisco AMP, or Virus Total, to determine reputation.
  • If none is found, send any file attachment to Threat Grid for analysis.
  • Then look up the source IP in VirusTotal.
  • And since your security analysts are paranoid, you opt to validate the information and look up the IP in OpenDNS.
  • Now they go a step further and want the geo location associated with the IP address so you look that up in another tool, maybe Maxmind.
  • Perhaps you want to block all emails coming in from an arbitrary country. Let’s say Canada (since I’m Canadian).
  • Analysis is done running, so retrieve results from Threat Grid – turns out it’s malware.
  • Based on this information you might want to block the source IP and hash value in your Cisco ASA firewall.
  • And you found a number of instances of the file in your environment. Your workflow dictates you quarantine the assets from the network with Cisco ISE for further remediation.

All this can be automated, instead of having a person go through and do the scripting, saving hours for each investigation, and even more when you begin to automate quarantine and remediation actions based on findings within Threat Grid.

Be sure to sign up for your free trial account of Threat Grid here: https://info.sourcefire.com/tgportalinfo.html

Interested in seeing how Phantom can help your organization?  Get the free Phantom Community Edition, and attend a Tech Sessions to see Playbooks like the one featured above in action.

Joe Malenfant
Product Marketing
Cisco

One thought on “Playbook Series: Don’t Just Integrate, Orchestrate

Comments are closed.