Tata AIG General Insurance Company - Insurer Innovation Award 2024
Security Automation Approach: Scripting
1. Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate.
Let’s create our first “playbook”, an easy
one: we’ll get an alert about a file
download, we’ll access the endpoint and
we’ll remove the file. Easy.
2. Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate. (Get the alert)
1. Detection tool sends syslog to my
system
2. Regex extracts
• File Hash
• Endpoint IP
• File Name
That was easy!
Alerts
Syslog
3. Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate. (Access the endpoint)
Now let’s access the endpoint.
• Remote WMI calls & power shell script
• How do I verify that it works?
• Run it on a small subset, run script
• What user account should I use?
Alerts
Syslog
Automation
Framework
4. Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate. (Credentials and authentication)
• How do I store the credentials?
• TODO: Figure out how to store credentials
securely (should be easy)
• What about authentication?
• TODO: Figure out authentication.
Alerts
Syslog
Automation
Framework
5. Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate. (Testing)
• Let’s run the script on past alerts.
• It worked 63% of the time. Not bad.
• Some PCs disabled PowerShell
• Others have an old PowerShell version
• Few network problems, and a few I’m not sure
about
Alerts
Syslog
Automation
Framework
6. Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate. (Testing #2)
• It worked 71% of the time. Not bad.
• Couldn’t connect to some PCs
• Firewall issue?
• Network Issue?
• WMI can’t run behind NAT (Remote employees)
• Access denied (who knows….)
Alerts
Syslog
Automation
Framework
7. Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate. (Production)
• Ignore TODO list for now and run the script
• First alert worked! Yes!!
• Second one failed. Access denied. Need to fix
that. (I have it on my TODO)
• Aha, I know why. Running process. Easy.
Alerts
Syslog
Automation
Framework
8. Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate.
• How can I find the right process??
• Process image file and from there the process
ID
• Get all processes and their image file script
• Let’s connect it together……
Alerts
Syslog
Automation
Framework
9. Intelligent Security Orchestration and Automation hexadite.com
Let’s Automate – (Production #2)
• It didn’t work.
• Grrrrrrrr.
• It had another file handle, locking the file
• How can I find that with PowerShell ?
Alerts
Syslog
Automation
Framework
10. Intelligent Security Orchestration and Automation hexadite.com
Back to that to-do list…
What Time
Figure out how to store credentials securely 4 Days
Figure out authentication 2 Days
Research how to “fight” process with file handles ?
How can I exclude my work (scripts) from security tools we have in our organization? ?
Figure out access issues (permission denied…) ?
Firewall issues – GPO policy? 2 Days
WMI can I use WinRM? How do I secure it? (What about Linux and Mac?) ? :-
Documentation (I need to document the code) Grrrrrrr
QA and Testing
What have I missed?