How does automation help with the security process?
Security teams are constantly onboarding use cases that result in alerts and incidents that must be triaged by analysts and engineers. And as your security team and program matures, it’s likely that introducing custom automation will become a priority.
Automation doesn’t just prevent burnout amongst security professionals, it enables security teams to translate team tradecraft into logic that a machine can perform on their behalf.
At its core, automation is facilitated by source code provided to programming languages. And Python is a great resource for security teams to leverage when prototyping and building security automation.
Security practitioners often choose Python as the programming language for automation because of its readability and ease to learn. Python is also an interpreted language and runs line-by-line, making it easier to debug issues and prototype on the fly.
But before embarking on the automation journey, it’s essential to collaborate with your team and organization to understand impactful use cases that will enable — and not disrupt — business processes and operations.
5 Steps When Implementing a Security Automation Use Case with Python
Step 1: Identify a Security Use Case
The goal is likely to automate as much as possible, and the best way forward is by identifying one use case to start. During this step, team members should collaborate with stakeholders to identify which components of security operations can and should be automated.
Python security use cases can range from detecting lateral movement to augmenting analyst action between two technology solutions.
One thing to keep in mind is while identifying a security use case to automate, your team may discover that additional organizational risks may be introduced by creating automation. For example, if a team is attempting to automatically block atomic indicators such as IP addresses, it may cause disruption for other teams if a false-positive occurs.
Step 2: Identify Data Sources
In most cases, Python will be leveraged to perform operations on data. For example, if the goal is to pass data from a vulnerability scanner to an asset management tool then at least two data sources will be required to accomplish that use case.
While identifying data sources there are a few questions to consider answering before attempting to write a Python application:
- Does my data source have an API or a mechanism to collect data?
- Does my development environment have access to the data source?
- Are there any requirements to keep in mind when handling the data collected?
- Which attributes and fields are required to successfully implement my use case?
Step 3: Define Security Logic
After a strategy is established for collecting the necessary data for your use case, it's time to define the logic of your implementation. This can be initially done from a high level as documented steps.
Performing this step will help your team understand if the use case can be created before writing your Python code. During this step, your team can discuss the tradecraft of each team member to be sure that the implementation will be impactful for all. Here’s an example of automating vulnerability management efforts:
- Retrieve hostnames of devices that contain a critical CVE from the vulnerability scanner
- Search asset management solution for the retrieved hostnames
- Retrieve IP addresses, operating systems, and installed software for the retrieved hostnames from the asset management solution
- Create a ticket in case management solution and assign the ticket to IT team
Step 4: Setup Development Environment
After the high-level logic is defined, it’s time to set up a development environment. A development environment in Python is a combination of a text editor and a Python runtime implementation.
The runtime environment includes the Python interpreter along with Python libraries. Depending on your use case and data source, you may have the option to leverage a Python library for interacting with a data source. For example, to leverage Axonius as a data source the Python API Client can be installed to facilitate API calls between the development environment and the Axonius platform.
Another element to consider is the version of Python that is included in your runtime environment. Teams should inspect their environment and ensure that they’re not introducing vulnerabilities while attempting to automate security use cases. When the version of Python is not a factor, implement the following steps to set up a development environment:
- Install the latest version of Python
- Create a virtual environment using venv to isolate dependencies
- Install an editor (i.e. Visual Studio Code)
- Install third-party libraries if necessary
Step 5: Write Code
The final step is to translate the security logic to Python code. Writing Python code is a continuous cycle of design, implementation, and testing until the intended outcome is consistently achieved.
If third-party libraries were used in your application, review the documentation and best practices to avoid experiencing errors as you execute your application. Ultimately, when building Python applications, it’s important to consider the readability of your source code. PEP 8 is a great resource to review for best practices on Python coding conventions and styling.