コンテンツにスキップ

Custom Automation Services🔗

Overview🔗

Security automation utilizes technology to perform reoccurring tasks that have been traditionally conducted by SOC personnel. These reoccurring tasks include detection handling, incident triage and enrichment, reporting, and trending—all of which can be very time consuming. The use of automation can provide immediate benefits to organizations through increased SOC efficacy, reductions in analytical errors, greater accuracy in security cases, and faster responses.

Benefits of Security Automation🔗

  1. Reduced Costs — Although there are initial costs associated with the implementation and deployment of automation, reductions in operating expenses should be expected.
  2. Reduced Mean Times — Multiple mean times that are typically used to measure SOC performances can be positively impacted by the introduction of automation. Mean Time to Notify (MTTN), Mean Time to Acknowledge (MTTA), and Mean Time to Respond (MTTR) can all be positively impacted with standard Secureworks® Taegis™ XDR automations.
  3. SOC Process Optimization — Introduction of automation allows for SOC processes to be redesigned—potentially discovering faster and more efficient methods of security monitoring—while a reduction of manual tasks can result in SOC personnel being able to focus on more important tasks.
  4. Consistent Outcomes — Automation ensures that standardized outcomes with uniform responses are continuously maintained, reducing the possibility of error.
  5. Reduced Dashboard Usage — Many organizations use multiple technology dashboards to monitor their environment. Not only does XDR allow for the information to be centrally displayed, it also allows for responses to those technologies to be centralized, reducing time spent navigating between different platforms.

XDR Automation Components🔗

XDR has an ever-growing automation template library that allows for interactions with scores of well known cloud services and IT technologies. These templates allow for single or multiple actions to be conducted with specific outcomes based on singular technologies, and allow for several parts of SOC processes to be automated.

XDR has two main components for automation creation:

  • Connection — How XDR communicates with the external tool or service, which functions the communication will be allowed to execute, and how XDR needs to authenticate.

Note

XDR is able to connect to any data source that presents a REST API.

  • Playbook — A playbook is a list of actions to be taken in a particular order using one or more connections. A playbook also includes:

    • Trigger — The cause of the playbook execution, which can be either Manual, triggered by a user, or Platform, triggered by an occurrence within XDR.
    • Inputs — These can be fixed or variable but are required for the playbook to execute correctly. Examples of inputs are detection title, username, email, and IP address.

It is possible to create automations that use multiple connections and playbooks, which can replace multiple stages of an existing manual process.

There may be times, though, where these playbooks do not meet the process or response outcome that is required. In these use cases, XDR also provides users with the ability to edit existing templates and create brand new connections and playbooks.

Note

Professional Services can design, create, and deploy connections and playbooks.

XDR Playbooks🔗

XDR automations can be categorized as follows:

Notification Playbooks🔗

These playbook instances are designed to inform personnel of new detections or cases and typically use connections with ITSM and other business tools. These instances are designed to ensure that data from XDR can get to relevant personnel quickly and efficiently and reduce delays in reacting to business-impacting threats.

Examples of notification playbooks in XDR include:

  • IT Service Management (ITSM) integrations
  • Email notifications for new detections and cases
  • Webhooks into collaboration software like MS Teams

Enrichment Playbooks🔗

These playbook instances add additional information into XDR cases. These instances are designed to expedite the gathering of information and to reduce the time taken for security analysts to triage cases and make decisions on their outcomes. Enrichment playbooks can interrogate data held within XDR as well as connect to third-party tools to query for data.

Examples of enrichment playbooks in XDR include:

  • Look up user information
  • Look up email information
  • Network and endpoint asset identification

Response Playbooks🔗

Response playbook instances allow XDR to automate reactions to detections or other key indicators, reducing the Mean Time to Respond metric. XDR currently supports multiple response types in EDR, cloud, and network environments, allowing your security operations teams to take the most appropriate action based upon their case findings. Response playbooks are also used by the Secureworks® Taegis™ MDR SOC in the Proactive Response capability as part of the Taegis MDR service. For more information on Proactive Response, see Proactive Response.

Examples of response playbooks in XDR include:

  • Isolate hosts using EDR
  • Block IP addresses and URLs
  • Disable users and reset passwords

Templates for the playbook examples listed above already exist in XDR linked to multiple vendors, allowing for immediate deployment. These can be deployed as designed or customized to suit your needs, and this is where our Professional Services team can help.

XDR Automation & Professional Services🔗

Our highly skilled Professional Services team can assist, design, and build XDR connections and playbooks to ensure that your SOC team can focus on tasks that matter. Their extensive experiences in security operations and with XDR ensures that your detection and case handling will be as efficient as possible while also ensuring that you are confident in the expected outcomes.

Professional Services engagements can vary from deploying standard playbooks and enabling Proactive Response, to creating custom automations and training on how to design, create, and test automations.

Scoping🔗

We understand that security automation requirements differ based on various factors relating to either people, process, or technology. These factors ultimately influence the design and creation of the automated solution. To ensure that we provide the correct outcomes, we treat each project as a custom engagement. The first stage in each of these projects will be a scoping session where we seek to understand:

  • Desired outcomes
  • Existing SOC processes
  • Participating business tools
  • What inputs are required for the playbook

Once we understand the initial automation requirements, we will be able to provide an estimate of effort to create your solution.

Scheduling and Booking Information🔗

To find out more or to book an XDR Automation engagement, contact your Account Manager or Customer Success Manager.