Automation has grown over the last decade to enhance security protocol, reduce remediation timeframe, and speed up time for breach detections. When it comes to any possibility of a breech, time is absolutely critical. A few seconds to a few minutes can be the difference between having information be compromised or not. How do we stay ahead of all the information within the industry? At Softrams, we built a platform code called Eagle that helps manage software supply chain and enable continuous compliance and security monitoring relying on the open-source tool eco-system. Let’s focus on one of the many components aiding in information automation.
For those of us in the security world, we know external threats are always present, evolving, and becoming increasingly sophisticated. It seems there is a new major threat emerging every week that could potentially affect multiple systems in use. Most of us, including the Security Team at Softrams, rely on the US-CERT bulletins published weekly to help determine the threat landscape. We depend upon supply chain for vendor-supplied updates to products, as do all businesses across the globe.
One of the biggest constraints of parsing through the US-CERT bulletin was how time consuming and tedious it was. We had to go through the bulletin, create relevant tickets for software in the ecosystem, and then address those tickets to patch the affected systems. We set out to automate a portion of this process to improve our efficiency. This post will provide a brief overview of that automation. Also, we should note the time saved by introducing automation in the workflow can lead to further improvements in the overall framework.
First, we had to decide on a language to use to code the application. Since Softrams aims to be agile, nimble, and serverless; we hypothesized Python to be a powerful choice to use within AWS Lambda. Next, we set out to parse the US-CERT bulletin. The bulletins are released every Monday and are of the same formatted URL: /sbYY-DDD (where YY is the current two-digit year and DDD is the present day of the year). Obtaining the data and placing it into a data frame was the logical choice, and then parsing through each data frame based on the high, medium, and low vulnerabilities.
The Code and Ticket Creation
Next, we know what software is in our environment. An array of the relevant software was created and used to query against the data frame. Since Softrams teams follow the agile process of ticket creation; an Epic must be made first, followed by a story, followed by any subtasks. The ideal data within the Epic would be a link to the US-CERT Bulletin. The exemplary data within a story would be the first instance of the software used, followed by subtasks under that story to prevent the ticket board from becoming cluttered. Each ticket contained the summary of the issue, a link to the CVE, and the priority and due date (based on the score of the CVE and our internal process for resolving issues).
Once the program was launched in AWS Lambda by engineers, a trigger was setup to run every Monday evening to obtain the latest US-CERT bulletin and automatically create the tickets. The automation of US-CERT ticket creation has cut down our time to remediate issues by approximately 30%.
In today’s age where time is money, the automation of US-CERT ticket has led to significant timesaving for our team. It also eliminates any possibility of human error and shows how automation of a previously manual task can improve efficiencies. It allows us to be truly agile and quickly respond to any threats that are detected which leads to a safer and more protected environment for all.