Bots are tiny helpers that can be part of any applications and are well suited for a large scale, repetitive and real time tasks. They enable highly qualified security teams to focus on more productive tasks such as building, architecting and deploying rather than get occupied with menial tasks. Additionally, they act as sharing and learning tools for everyone in the organizations and provide context for all conversations and collaborations.
Benefits of ChatOps for Security
ChatOps (this article uses bots and ChatOps interchangeably) were culturally an invention of DevOps teams. However the benefits and the motivations for using one applies very well in security operations. Security operations require more collaboration, quick and sometimes synchronous action and ChatOps is a perfect way to manage the minute by minute alerts and take informed collaborative decisions. Some of the crucial benefits of integrating security with ChatOps are :
Everyone who is supposed to know, receives the message in near real-tie without needing someone to figure out and send emails. Chat provides faster communication then e-mail. This is specially useful in large, remote and distributed teams with high churn rates in teams. Anyone who is a member of the chat room can watch the chats and commands to learn and pickup the context very fast.
Let us say, an administrator notices suspicious logins from a foreign country and he can simply get the logs on the chat and ask the members to check. Then the member on the travel can easily clarify that he is on travel and the issue can be resolved in near real time. This level of collaboration is impossible in any other form of collaboration.
The complete history of “what happened” is available for anyone to see, analyze and take further action.
Always On, Fast Response:
Security issues needs to be addressed in real time and often are very synchronous. Chat channels are closest to achieving this. ChatOps can also be designed send notifications to specific person without the person needing to be logged into the chat.
ChatOps commands also speed up operations by eliminating need to login using VPN, gather information from multiple sources, collaborate and then run commands. The commands can be executed by people on the move with only access to their phones.
Information Synchronization and Dissemination:
Documentation is one of the most despised activity in organizations and the constantly changing environment means constant need to update which is often neglected. This leads to work getting stuck as lack of information will become the bottleneck. ChatOps helps immensely as most transcripts are available and one can trace back the changes.
ChatOps provides added security as any one can view all commands in a chat room, so any malicious act can be caught quickly and be challenged by others.
Implementing and Integrating Bots
The bots can be broadly of three types: reply bots, notification bots and slash commands bots.
All these bots can be built with many popular enterprise collaborative channels such as Slack and Hipchat. While it is possible to integrate many security products by writing scripts, there is a huge value if the products come pre integrated with Slack for instance.
A good example of pre integrated slack with a security product and the ease of use is demonstrated in the following screen shots using the Komand security orchestration product’s Slack integration to develop chatbot operations quickly.
Picture 1: Good instance of Notification Bot
Picture 2: Reply Bot or Command Bot
Picture 3: Reply Bot or Command Bot
There are many products and services in security operations which do not have pre bundled integrations with Slack or any other ChatBots channels. In such cases one needs to create specialized or custom slash (/) commands and integrate them with backend systems. The process is fairly simple.
Picture 3: Architecture of a ChatOps
- Configure ChatOps with custom commands and link it to the script to run.
- Script would then take the command and convert it to the system command to be executed on the target system (any server) (there are many pre existing scripts written which can then be customized).
- Read the return and type it into the chat cannel as a message.
Precautions and Access Control
While there is implicit security due to many people watching the channel, it is always good to ease into it by starting with notifications and reply bots first and then go into full command mode. For full command mode it is always better to integrate with known identity and two factor authentication solutions.