Have basic questions about Security ChatOps? Read our FAQ blog to get a quick primer on the concept and its benefits.
The security world’s eyes are focused keenly on ChatOps. With security analysts often trapped in work silos, having chat conversations with fellow analysts to conduct joint investigations can have lasting personal and business benefits. Additionally, the ability to run live security commands and document the results on the same collaborative screen is the force multiplier SOCs need. With all this chatter, ChatOps is piquing the interest of cybersecurity professionals everywhere.
That said, there is a right and wrong time to bring in ChatOps for your security operations and incident response. If you roll out ChatOps when the timing, resources, or need fitment aren’t right, you will not only fail to get benefits out of ChatOps but also potentially close the door for future ChatOps implementation when the need is more explicit.
Here, we’ll provide a checklist that you can use to determine your SOC’s readiness to implement ChatOps. You can download a template of this checklist at the end of the blog.
If your incident response involves a mixture of automatable, well-defined tasks and cerebral, analyst-driven tasks, it’s a strong indicator that ChatOps can have a positive effect on analyst productivity and incident resolution times.
If you have trouble tracking investigation tasks to specific analysts and attaching accountability, ChatOps can bridge the gap. Having analysts work on the same window ensures team-wide transparency and task-level accountability, leading to more efficient response procedures with time.
If coordinating between all the security tools at your disposal is time-consuming and leads to an increased error rate, ChatOps can help both save time and increase accuracy. With ChatOps, you can orchestrate security commands across your product suite from one screen, eschewing the need for constant screen switching and the ensuing mistakes.
If you need to collate information from multiple sources for auditing and documentation, ChatOps can simplify the process. Each message sent and action performed is recorded on the ChatOps window for single-source documentation and retrieval, preventing the hassle of hunting through endless email chains and ticket threads to find the information you need.
If your incident resolution times are too long when analysts work separately (in silos) to resolve them, ChatOps can lead to speedier and more enriched incident closure. Analysts can easily share information, learn from each other’s actions, and combine specific skill-sets on one platform to display real-time teamwork during investigations.
If your team is experiencing alert fatigue from certain incidents even after implementing automation, ChatOps can be the palliative balm to ease your wounds. By distributing the load among a team of analysts working together, reducing product coordination time, and easing documentation work, alert numbers post automation can be kept in check.
If you can’t afford to train new analysts or have them make costly mistakes on the job in lieu of training, ChatOps can double up as an intuitive way for them to learn on the job. They can join in on investigations and study security actions carried out by senior analysts, the order the actions were carried out in, and other IR best practices.
Let’s use the above framework to tackle a common example: phishing incidents. The filled in table is given below.
You can find a blank worksheet of this framework below and can use it to evaluate your security team’s readiness for ChatOps by applying the framework to certain incidents/sub-teams.