AnakinMoonwalker: “Site A, they’re taking Site A! Split up and fan out. They just got me.”
ABotHasNoName: “I’m on it. How many do they have left?”
AnakinMoonwalker: “Two. Use crosshair 4 and turn bullet tracers on.”
ABotHasNoName: “Got it. Aaaand got them!”
The transcript above, although heavily sanitized and grammatically correct, is commonplace in Counter Strike: Global Offensive private chats as groups of players lock horns over digital bragging rights. Online gaming has grown from a clandestine pastime carried out in secluded LAN centers to a legitimate sport played and followed by millions under glaring spotlights.
A less discussed accompaniment of this growing popularity is how video games have often been the forebearers of new technologies. Pokemon Go made augmented reality mainstream. Oculus and VIVE are putting VR into the hands of the masses. And multiplayer chatrooms are embracing the tenets of ChatOps, while most other industries – including cybersecurity – are still testing the waters.
Here, we shall discuss the basic principles of ChatOps, why it’s needed, and how it can be a difference-maker in incident response like it already is in online multiplayer warfare. Let’s go!
The What and Why of ChatOps
Security analysts today face challenges both visible and hidden in the face of unprecedented attack numbers. The proliferation of security tools – an average of 15 products used per organization – leads to alert fatigue, constant scanning between screens, increased investigation times, and disjointed record keeping. Analysts also continue to work in silos, too busy with their core responsibilities to engage in knowledge sharing and collaborative investigations. ChatOps helps meet and vanquish these challenges in one fell swoop.
The simplest definition of ChatOps for security is a platform for conversation-driven investigation. When humans, security tools, chatbots, and automated workflows and processes exist in the same chat window – feeding into each other in a virtuous cycle – it can lead to sea changes in everything from investigation depth and remediation times to knowledge management and future learning.
Gamers are already familiar with this. Remember the fictionalized exchange at the start of this blog? The players used quickfire commands to find out how many opponents were left, change the crosshair type, and turn bullet tracers on. There are tons of Discord bots available online that provide gamers with real-time stats, inventory information, and in-game lore. Players can bring up a command-line interface to change anything from their gun-wielding hand to the background brightness for spotting enemies more easily.
If one scratches beneath the surface, general skills required of expert gamers and security analysts bear some similarity: both communicate with their teams at breakneck speed and perform 10 different tasks at once to ‘defuse a bomb’ before the timer runs out! With the former group already using ChatOps functionalities, it’s critical that the latter gain an understanding of their merits.
The Benefits of ChatOps
Let’s look at the main benefits that ChatOps can bring to a SOC:
Currently, security analysts balk at collaborating on incident response because of the tiresome housekeeping that comes with it. Information sharing across analysts is done through email or ticketing solutions, creating unproductive back-and-forth exchanges and tab congestion. Tracking IR flows and processes for future incidents is taxing and often done on paper. Retrospectively searching for task ownership and accountability is a futile exercise amidst all the clutter.
ChatOps changes all this. When a team of analysts collaborates on a single platform, every chat, action, and command is tracked and visible to all parties. This provides full transparency to both analysts and any external stakeholders with access who want to view progress. It’s also easier to track accountability and link ownership of tasks with specific analysts, aiding measurement and making successful tasks repeatable.
Figure 1: The chat window on the bottom left ensures that all players know what is happening on the battlefield.
The skills gap in cybersecurity is well-known, with a global shortage of 1.5 million qualified analysts expected by 2019. In such a scenario, the Bus Factor looms large over every SOC. Sudden personnel losses result in an exodus of expertise and knowledge, with junior analysts required to start from scratch and pave their own way in the big, bad world of IR.
Working in ChatOps provides robust one-stop archival of all actions, comments, and investigation commands. Since everything is indexed, the security database becomes a vault where all analyst knowledge is stored for posterity. Personnel changes will no longer engulf IR in darkness, and greenhorn analysts will have a wealth of historical precedent to fall back on when dealing with unfamiliar incidents.
Comply or Die
Apart from documenting IR flows for archival, organizations also need comprehensive incident records for compliance purposes. With digital assets continuing their heady ascent in value, companies are required to comply with strict industry-specific regulations and auditing checks. With multiple security products, analyst accounts, and communication channels, trying to record all that information in one place is like herding sheep in the snow.
ChatOps can be integrated with tools that securely transfer all information to a company’s compliance database, map to any specific recording formats that a company might use, and have summaries ready for easy retrievals. Even in the distributed and many-sourced digital world, ChatOps will provide the thoroughness of a physical ledger for reporting and compliance purposes.
Hit That Nitrous Boost
One of the most common gripes from security analysts is the time it takes to successfully respond to and close an incident. This slow speed stems from many reasons: the sheer number of alerts swamp analysts into submission, flitting between multiple security products leaves them in a daze, and working in silos deprives them of each other’s expertise. When each issue adds up, it’s like running a marathon with cemented boots.
ChatOps solves all three problems mentioned above. A single window eliminates the need to jump between screens, the chat-based interface encourages analysts to share knowledge and work together, and these joint investigations directly lead to a reduction in alert volume. Each second of downtime after a cyberattack can spell financial doom for organizations; in this race against time, ChatOps provides a much-needed nitrous boost.
Always Be Learning
Meeting current challenges is the need of the hour; however, getting ahead of challenges and having the upper hand is the utopian state that security analysts pine for. With all this indexed information that ChatOps makes available, what’s the best way to put the information to use rather than letting it gather digital dust? The answer – and it’s the answer to most things nowadays – is machine learning.
ChatOps coupled with machine learning can act as a powerful force multiplier and enable analysts to drastically reduce response times, increase efficiency, and anticipate attacks. Machines can analyze stored data and suggest which analyst would be best placed to deal with a particular attack, how the workload should be divided among analysts to best cater to specific skill-sets, and which commands/actions would be most appropriate to deal with specific attacks.
ChatOps has already taken giant strides in industries ranging from software development and workplace collaboration to services and (you already know this by now) online gaming. While it is still fledgling and hasn’t exploded in cybersecurity yet, the unique benefits of ChatOps overlaps perfectly with the pain points that security analysts feel.
The average cost of a security breach is more than $3 million as things stand. Attackers are sophisticated, agile, organized, and persistent. But with the help of ChatOps, the counter-terrorists have a chance.