Virtually each week we add one other workflow to our automation library. Our platform and copilot are serving to folks automate in any other case tedious duties in safety operations. Integrations between platforms historically concerned safety engineers writing customized code utilizing software programming interfaces (APIs).
For instance, in case you needed to scan all of your S3 buckets for public entry, on the lookout for READ and WRITE permissions, and ship a notification to an incident response Slack channel, you would want Python or Bash code with many API calls.
Nonetheless, with safety automation platforms like Blink Ops, this has drastically modified. You may combine automation into your atmosphere by writing a easy immediate, and the copilot will construct the workflow it thinks you want. It is then a matter of getting into a couple of parameters and including authentication credentials. This will save folks in safety operations tons of of hours a 12 months.
Listed beneath are 5 incident response/safety operations workflows you’ll be able to automate with Blink Ops. These examples provide you with an thought of how Blink Ops automations can velocity up your work.
1. Monitoring for Subdomain Takeover with AWS and Wiz
Subdomain takeover happens when a DNS entry factors to a nonexistent or inactive useful resource, permitting attackers to hijack the area. Attempting to forestall this manually includes frequent checks to make sure all DNS configurations are right.
This course of is totally automated utilizing Blink Ops. At the side of AWS Route 53, Blink Ops scans for orphaned/dangling CNAME information pointing to assets that not exist utilizing Wiz. Upon detection of points, Blink Ops sends a direct alert to a chosen Slack channel describing the misconfigured DNS entry.
Wiz then quarantines the file or takes remediation steps. When no points are discovered, a notification is shipped that every part is safe. This automation simplifies detection and mitigation of subdomain takeover dangers.
Bullet-Level Steps:
1. For DNS configurations, Blink Ops connects to AWS Route 53.
2. Wiz checks DNS entries for dangling orphaned CNAME information.
3. When a susceptible file is discovered, Blink Ops sends an alert to Slack.
4. Wiz both quarantines the file or applies the repair.
5. If no issues are discovered, a affirmation e mail is shipped confirming this.
2. Monitoring for Uncovered S3 Buckets with Slack Alerts
Uncovered S3 buckets are a big safety threat for any group, and monitoring them manually each day could be tedious. You could possibly handle this by enabling each day automated scans of S3 buckets with public READ permissions.
This workflow integrates with AWS S3, and Blink Ops can scan every bucket marked for public entry. Detecting a bucket with public READ entry triggers a Slack alert from Blink Ops, giving the safety workforce details about the bucket — together with its title and permissions.
A follow-up motion by Blink Ops may take away the general public permission for the bucket. This workflow identifies uncovered buckets rapidly and appropriately in order that delicate knowledge shouldn’t be uncovered to unauthorized customers.
Bullet-Level Steps:
1. Day by day, Blink Ops checks AWS S3 buckets for public learn permissions.
2. Any bucket discovered with public READ entry triggers a Slack alert.
3. Blink Ops can optionally revoke READ permissions (observe – not included above).
4. The bucket is secured, and the safety workforce is notified.
3. Responding to Failed EC2 Logins and Privilege Escalation
Failed login makes an attempt and unauthorized privilege escalation detection and response on EC2 situations are important to safety. Blink Ops can automate this in order that threats are detected in real-time and responded to.
You may monitor EC2 situations to disclose repeated failed SSH or RDP login makes an attempt—5 or extra failed makes an attempt in a 15-minute window—by way of Slack. It’s also possible to observe privilege escalation by monitoring IAM function modifications, like when an EC2 occasion is granted extra privileges like AdminAccess.
When this occurs, Blink Ops takes a snapshot of the affected EC2 occasion for forensic evaluation and sends an alert to the safety workforce describing what occurred. This automation relieves safety groups of guide log monitoring throughout login failures or privilege abuse.
Bullet-Level Steps:
1. Failed SSH and RDP login makes an attempt on EC2 situations are tracked by Blink Ops.
2. If > 5 failed logins happen inside quarter-hour, Blink Ops points a Slack alert.
3. IAM function modifications comparable to privilege escalation are additionally tracked by Blink Ops.
4. When privilege escalation happens, Blink Ops takes a snapshot.
5. Safety groups obtain alerts with all related particulars in regards to the occasion.
4. Vulnerability Detection and Alerting with AWS Inspector
Vulnerability administration is crucial for retaining cloud environments safe. Blink Ops simplifies the method by integrating with AWS Inspector to robotically scan EC2 situations and containers for important vulnerabilities.
As a part of Blink Ops, AWS Inspector can verify for high-severity vulnerabilities comparable to CVSS scores larger than 7. As soon as a important vulnerability is detected, Blink Ops notifies the designated Slack channel of the susceptible occasion/container. The alert additionally hyperlinks to a remediation information or playbook for guide intervention.
For vulnerabilities that can’t be robotically patched, Blink Ops logs the small print and permits for guide remediation by a safety engineer. As soon as the remediation is full, Wiz verifies that the vulnerability has been mounted, making certain that the cloud atmosphere is safe.
Bullet-Level Steps:
1. AWS Inspector scans EC2 situations and containers for vulnerabilities.
2. Upon discovery of a vulnerability (CVSS >7), Blink Ops sends an alert to Slack.
3. Wiz confirms that the vulnerability was mounted after guide remediation.
4. Safety groups are notified of the repair and verification course of completion.
5. Automating S3 Encryption Enforcement with AWS and Wiz
Securing delicate knowledge in S3 buckets is greatest observe. That is solved by automating S3 bucket monitoring for encryption compliance with Blink Ops.
Monitoring of sensitive-data tagged S3 buckets by way of Blink Ops is built-in with AWS Config. It verifies that such buckets are encrypted with AES-256. Upon detection of an unencrypted bucket, Blink Ops applies AES-256 encryption utilizing AWS’s PutBucketEncryption API.
After encryption has been utilized, Blink Ops sends a Slack affirmation of the replace, and Wiz is triggered to confirm that encryption was utilized. Such an automatic workflow protects all delicate knowledge with none human intervention and permits safety groups to implement encryption insurance policies throughout the cloud atmosphere.
Bullet-Level Steps:
1. AWS Config tracks sensitive-data tagged S3 buckets monitored by Blink Ops.
2. If unencrypted, Blink Ops triggers AWS to use encryption.
3. When encryption is utilized, Slack notification is shipped.
4. Wiz confirms the encryption has been utilized accurately.
5. Safety groups now know the bucket is secured.
Take Your Subsequent Steps With Blink Ops
The use instances above are simply a few of the many prospects that Blink Ops can automate for you. Blink Ops can be utilized with platforms like AWS and Wiz to automate processes that used to require customized code and guide labor. This implies safety groups can save hours, reply quicker to threats, and scale back human error threat.
Automate time-consuming duties so your workforce can concentrate on higher-value safety initiatives—utilizing Blink Ops. Whether or not it is advisable monitor for subdomain takeover, detect failed EC2 logins, or automate vulnerability scans, Blink Ops allows you to optimize and scale your safety operations.
Get began with Blink Ops immediately to automate repetitive duties.
Sponsored and written by Blink Ops.