Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Following

Library

Stories

Stats

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

CYBERSECURITY

Security Automation 101

Who doesn’t love automation?

Muhammad Laraib Khan
InfoSec Write-ups
Published in
5 min readAug 9, 2023

--

Introduction

Cybersecurity is a diverse field, even within the defensive side of things, the number of tools you can implement and the number of techniques you can use is virtually infinite. Security Automation can be both of these things, having a tool in hand with the correct techniques applied can do wonders in your security defence.

The most common and sought-after automation use case to implement in security operations is to accelerate incident response and in process reduce MTTR (mean time to respond). Such kinds of security automation are achieved through security Playbooks and those playbooks are generally categorized into Orchestration, Enrichment and Response; whereas the tool used to create and run Playbooks is known as… you know it… SOAR (Security Orchestration, Automation and Response).

Now to make sense of bits and pieces of security automation, I am going to further elaborate on each puzzle piece… Stay with me.

Playbooks

The basic definition of a Playbook is having a defined “Course of action”, in other words having an instruction set to achieve certain objective(s). In SOC, however, the playbooks are designed to either completely resolve a security incident or provide actionable information readily available for analysts that should help during analysis.

Having playbooks doesn’t mean eliminating the need for human intervention, but their core purpose is to assist security teams to achieve more in less time.

Technically in order to run an action playbook requires API connections with the infrastructure to execute actions, it involves but is not limited to Active Directory, SIEM, EDR, & Firewalls that can also cover the rest of the tools and systems in your organization.

API (Application Programming Interface) is a set of rules and protocols that allows different software applications to communicate and interact with each other in request/response manner.

  • A Playbook uses API calls which are termed Actions; to successfully run an Action a Connection has to be established which authorizes the Action.

--

--

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 14 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Muhammad Laraib Khan
Muhammad Laraib Khan
Follow

Written by Muhammad Laraib Khan

529 Followers
510 Following

A professional cybersecurity consultant who loves to talk about tech and cybersecurity

Follow

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech