Vulnerability management is a strategically important process that covers both proactive and reactive aspects of security operations. Since vulnerability management encompasses all computing assets, security teams often grapple unsuccessfully with correlating data across environments, spending too much time unifying context and not enough time remediating the vulnerability.
How Orchestration Helps
Security orchestration playbooks can automate enrichment and context addition for vulnerabilities before handing off control to the analysts for manual remediation. This maintains a balance between automated and manual processes by ensuring that analyst time is not spent in executing repetitive tasks but in making critical decisions and drawing inferences.
The playbook ingests asset and vulnerability information from a vulnerability management tool such as Qualys.
2. Enrich Entities
The playbook enriches endpoint and CVE data through relevant tools. It also adds custom fields to the incident if the newly gathered data requires them.
3. Vulnerability Context
The playbook queries the vulnerability management tool for any diagnoses, consequences, and remediations tied to the vulnerability. If any vulnerability context is found, it’s added to the incident data.
4. Calculate Severity
Based on the gathered context, the playbook calculates the severity of the incident. To learn more about calculating incident severity, read this blog.
The playbook now hands over control to the security analyst for manual investigation and remediation of the vulnerability.
To access Demisto's vulnerability management playbook and other orchestration use cases, visit our GitHub playbook repository and see what's possible
Unify security functions: By coordinating among multiple tools, a vulnerability management playbook can enable security teams to have improved, centralized visibility over security data. In this example, the playbook collects intelligence from EDRs and vulnerability management tools, maximizing tool usage without the ensuing analyst fatigue.
Automate repeatable steps: There are multiple security actions that, while important, are time-consuming to execute every time a vulnerability is detected. Automating these steps shave off large chunks of response time while still providing overall control and decision-making power to the security team.
Improve investigation quality: Security orchestration platforms usually correlate intelligence from multiple tools so that security teams can quickly identify whether any IOCs are isolated or persistent within their environments. In this example, security teams can study the vulnerability details and uncover any similar incidents affecting their systems (which can point towards a larger attack campaign at play).
A Good Playbook Should Be...
Simple and intuitive: The playbook should ideally be represented as a task/process flow through a simple drag-and-drop graphical interface. Coding expertise shouldn't be a 'must-have' to make even the most complex playbooks, although each playbook’s code should also be available for analysts to tweak if required.
Primed for automation: Analysts should be able to automate the entire playbook in response to a phishing attack, greatly reducing response time, effort, and the possibility of human error for large-volume attacks. However, analysts should also be able to include manual steps in playbooks and require human intervention for sophisticated attacks.
Customizable: Analysts should be able to make copies of the standard playbook, modify it, or embed it in other playbooks as needed.
We hope you found this use case walk-through helpful. This is only a skeletal workflow - your own 'playbook' can be as simple or complex as your needs merit.
To learn about more security orchestration use cases, download our whitepaper.