Every new technology comes with a learning curve specific to your organization. First you learn the basics, then you accelerate. Rapid7s offerings are no different.
As a Senior Information Security Engineer at [Brooks](), I have firsthand experience with this process. I oversaw the implementation of Rapid7s security orchestration, automation, and response (SOAR) product, [InsightConnect](), within my organization. We went from zero to 20+ workflows in just one year. Here are some reflections and advice about setting up a SOAR program, through the lens of my story about that successful and innovative year.
## Workflow 1: Let Rapid7 hold your hand
In a previous blog regarding our initial deployment of InsightConnect, I shared key advice [about how to set up a SOAR tool and get the program started.]() Looking back on that successful process, I believe that you should start with a goal thats manageable and delivers immediate value to help prove and cement the value of the initiative. For example, a [phishing]()-related workflow is a great place to start. But there are other options as well, depending on your organizations needs. Consider the following questions:
* What pain point within your organization presents an immediate need?
* What processes do you already want or need to try to automate?
Consider your teams key technologies as well, but as you think through these questions, approach the solution in a technology-agnostic way. Instead, focus on the process, which can usually be applied to multiple technologies, and the corresponding desired outcome.
After that, youll want to work with your security analysts (assuming youre not the security analyst!) to determine their pain points as well. What are the most common alerts they get? Where do they spend the most time? Or my favorite question to ask, What requires the most browser tabs? Your immediate focus should be how to make their job easier and more efficient.
From there, lean heavily on Rapid7s product resources and services, and especially existing workflows that you can find in the Rapid7 [Extensions Library]() this will cut your work in half.
## Workflows 2 to 5: Integrate with Slack and Teams
Once youve gone live with your first workflow, continue to look to the Rapid7 Extensions Library for workflows you can download and adapt to your needs. Some of the best examples of that use Slack or Microsoft Teams as the primary interface you can find them easily by searching for [workflows by category.]() And when you find an appropriate workflow, dont get caught up on the specific technologies in the workflow. Again, focus on the process that youre automating after all, blocking an IP on one firewall is essentially the same as blocking an IP on another firewall, as its just a matter of swapping the integration plugin.
A major reason I advise starting with Slack and Teams-related workflows is that theyre the most numerous in the library and are valuable to most organizations. But this is the point where buy-in from key stakeholders across your organization becomes essential. Work with whoever runs your Teams or enterprise Slack account to input the appropriate API keys theyre an extended part of your security automation team.
From there, look into workflows for **incident response** and **enrichment **again, in the extensions [library](). Searching Virustotal or forcing a password reset or revoking Office 365 access can be very useful areas of automation, since you likely conduct those processes a lot. They can take a lot of time because they often rely on other teams when integration and automations arent already in place. Since time is of the essence in a phishing-related compromise, theyre super impactful.
One reason response and enrichment workflows are so useful for Workflows 2 to 5 is that it helps you understand that SOAR is not just about full automation. In fact, its about supporting human decision-making. So many security decisions require human insight and experience to make the right decision. What SOAR can do is to automatically collect the necessary context, tee up the decision to the security analyst, and then broadly automate the execution of those decisions.
## Workflows 6 to 10: Hone in on your analysts pain points
At this point, its going to become easier for you and your team to build and implement your own, more heavily customized workflows. Youll understand things like decisions trees, loops, and markdown cards essential tools to take your security automation workflows to the next level. Youll then be prepared to start customizing more workflows specifically catered to the needs of your organization and your analysts. Start here:
1. Find out what your analysts’ top 5 alerts are. Theyll likely be something along the lines of DNS, EDR, Firewalls, or email-related alerts.
2. Return to the Rapid7 workflow library to find existing workflows you can adopt and customize to address those alert categories.
Expect to commit a couple of hours here and there over a couple of weeks to perfect each workflow to fit your organization. This may sound like a lot, but I promise the lift isnt too hard. The Rapid7 extensions library and tool does **a** **lot** of lifting for you!
## Workflows 10 to 20: Take your workflows to the next level
Once youve implemented roughly 10 workflows, youre ready to start honing in on specific pain points that likely require a bit more and customization for example, ad-hoc actions for investigations like revoking active Office 365 sessions, searching for and deleting specific emails, or automatically blocking likely malicious URLs based on [threat intelligence]() feeds youre subscribed to.
The more you create, the more comfortable you’ll be creating workflows from scratch. In my experience, by the time you get to 20 workflows, you should expect that you or a team member could get a typical workflow designed and shipped in 1 to 2 weeks, assuming they spend 4 to 8 hours a week on it. Check out two of my teams prized custom workflows:
* [OSINT Enrichment with Microsoft Teams]().
* [Active Directory Lookup using Teams]()
However, thats not to say that you cant still make existing workflows your own. Its to your benefit to keep up with the latest developments in [Rapid7s marketplace](). I check the marketplace every few weeks and subscribe to the newsletter for new workflows or plugins. Ive also learned to use the plugin API to make custom API calls for plugins Rapid7 doesnt yet have!
In my next blog, Ill take a deeper dive into the why and how of high-value security automation workflows. Ill also give you some insights into the benefits weve seen at Brooks thanks to our SOAR program.
_**Additional reading:**_
* _[Grey Time: The Hidden Cost of Incident Response]()_
* _[Cybersecurity Analysts: Job Stress Is Bad, but Boredom Is Kryptonite]()_
* _[5 SOAR Myths Debunked]()_
* _[Deploying a SOAR Tool Doesnt Have to Be Hard: Ive Done It Twice]()_
#### NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
SubscribeRead More