Technologies like Slack make sharing content among teams much easier and more fun. As with any new technology when it comes to security they create new challenges and with this particular technology they also bring a new opportunity for security professionals. The challenge is best summarized by the question: how do we make sure that ease of sharing content does not result in ease of spreading malware? The opportunity is bringing the power of collaboration to security operations teams and improve security posture as a result.
While working on the Demisto Incident Response Platform, we encountered an interesting challenge internally — we did not have a way to make sure that the slack content that was being generated and posted is pristine. We have a bot connecting rss and other web content to our slack channels so we can keep up do date on our market, the technologies we adopted, etc.. This content, we quickly noticed, is not validated. While our browsers and e-mail systems have security plugins and services, there is no easy way to scan any content within Slack.
We also quickly realized that Security Analysts have a challenge similar to this — they want to get information about files, url and IP address while they are researching. Today they go to multiple web pages and then correlate that data to reach a conclusion. Fairly painful and manual process! And then there is the collaboration challenge. Here is a quote from a customer interview —
Each of our analyst is really capable but they are experts in different areas. If only we could cross train them and enable collaboration, we would double our productivity.
Introducing DBOT — the first Slack integrated security Bot.
DBOT automates security intelligence collection and delivers the relevant security information in real time via Slack. DBOT is a free & open source product and we intend it to keep it this way. One of the early users of DBOT, Saurabh Gupta (Co-founder, CTO of Wonder Workshop) says — “DBOT helps us scan the user generated and imported content in Slack. It was a one click install and is non-intrusive.”
I am a security analyst — how can I use DBOT?
If you are a security analyst, we are sure you spend a lot of time looking for reputation of IP address, finding whether a file is malicious, learning about the details of file in VirusTotal and IBM X-Force Exchange. Now all this can be completely automated by having DBOT do this for you.
You ask, “Do I need Slack?” — Yes you do. We think that Slack is a great place to automate your enterprise security task while being able to collaborate. We recommend you setup a security ops channel in Slack and have DBOT listen to those channels in verbose mode.
What configuration is right for security analyst?
There are two modes of operation for DBOT, regular mode and verbose mode. Regular mode configuration is designed for regulars users of Slack (we will chat more about this below) and Verbose/advanced mode is designed for Security Analysts. In verbose mode, DBOT provides details on every artifact checked (even the ones found benign or clean). It also responds with deeper analysis for security experts. Here is how to configure DBOT for verbose mode.
Some Tips for security experts :
- The easiest way to start using DBOT is by Checking the “Monitor Direct Messages” box and using Slackbot for checking reputation. This way you don’t bother other team members in other channels.
- If you do want to enjoy the power of collaboration we recommend having a dedicated channel for the relevant team so that people can search all the historical data as well, which is very well captured in Slack. You can use a private group for this as well.
Can I chat with other Security Analysts and learn how they are using DBOT?
We got this question from some initial users of DBOT and hence we have created a public Slack channel which is monitored by DBOT. You can subscribe to this channel from the DBOT site. This is a fantastic way to learn from your peers in other companies and exchange ideas.
I use Slack for day to day conversations in my team. Can DBOT help me?
This is the second use case for DBOT. We talked to a large number of Slack users and found out that they share, URLs and files in Slack on a regular basis. If you look at any email system (gmail, yahoo, hotmail or enterprise ones like Office 365), they all have a scanning engine built into which protects users. We decided to have DBOT provide same security for Slack. In this use case, DBOT is pretty silent and you won’t even notice that it is protecting you (that is how all security should be, invisible, right?). If it finds something malicious, then it alerts you as shown below.
What is recommended configuration?
Since DBOT is completely silent (unless it finds something malicious), we recommend you monitor all your channels. This is also the default configuration and you can leave it alone. We designed DBOT to be completely our of your way after you add it and protects you even after you have forgotten about it.
What are you doing with my data and conversations?
We are security people and understand your concern. What have we done for securing your information? We do not keep any information about you other than the email address you use to authenticate to Slack. DBOT works independently and after it makes its conviction the only place where the information is kept is your Slack channel.
For all those, who are eager to learn about internals of the DBOT including the slack API used, how it is architected for scale and security, what cloud infrastructure we are using etc… we have another blog coming up soon.
Is this what Demisto does?
Yes and no. Demisto was founded recently by experienced security folks who have the ambitious goal of revolutionizing the way Incident Response is done in organizations. Consider DBOT as our small first step towards this goal. Follow us on twitter (@demistoinc) or get on your mailing list on https://www.demisto.com if you would like to receive future news about our products.