Juggling Priorities and Countless Orchestration Use Cases? We’ve Got Your Back
Automation and Orchestration are terms that are thrown around interchangeably and claimed to be supported by just about every product offering out there. The advancements in technology required to truly support scalable workflows should not be understated.
Remember those connect-the-dot games we used to love as kids? Simple, distinct, and only way one to proceed. That’s a thing of the past. Organizations today have complex architectures to support business operations and keep assets secure. This requires things to happen quickly and seamlessly; passing information from one technology or team to another without confusion or delay. This can only happen in a fictional utopia, right? Wrong.
ThreatConnect users have been leveraging Playbooks to handle the automation of decision making for some time, but as the use cases requiring complex orchestration with multiple workflows increase, so must the engine driving the technology.
Orchestration is such a game changer when it comes to decreasing mean time to detect (MTTD) and mean time to respond (MTTR), as well as to allow security analysts to get away from the tedious parts of their jobs and focus on strategic aspects. With the ThreatConnect 5.7 release, we’ve put significant improvements in place to support your endeavors.
Playbooks User Interface Improvements
Usability is a huge factor when it comes to increasing the adoption of technology (or anything, for that matter)! We’ve taken your feedback and implemented a couple of items to make using our Playbooks a much easier experience. This includes items like customized tagging and labels, the ability to add notes within Playbooks, an instant view of ROI metrics associated with individual Playbooks, and enhanced search and filter capabilities to ensure you can find what you want, when you want it.
A peek into our Playbooks interface!
A better user experience is never a bad thing. These improvements allow for:
- Quicker navigation throughout Playbooks with everything being in one place
- Ability to organize your Playbooks the way you want with customizable tags
- Tracking the status or development of Playbooks by tags like, “In Design”, “QA”,
- Tagging Playbooks as “Enrichment”, “Reporting”, etc, to make filtering by Playbook type more manageable
- Easily view, sort, and filter on Playbook name, the Trigger used, any labels you’ve applied, and status (Active vs. Inactive).
- Provide context as to why certain Playbooks were set up via notes allowing for clarification and better team collaboration
- View ROI data without needing to drill down to the actual Playbook.
Real-time Playbooks Activity Monitoring
Tying critical security operations to orchestration can be pretty nerve-racking initially. Having real-time insight into which Playbooks have run, are being run, and what’s queued up is critical to understanding that things are working as intended. We’ve created a new Activity Dashboard which provides users with:
- CPU Metrics
- Memory Utilization Metrics
- Counts of Top Playbooks Running
- Duration of Playbooks Running
- Most Popular Executed Apps
- Playbooks Currently Running
Here’s our updated activity dashboard where you can view multiple metrics from one view.
Real-time Playbooks Activity Monitoring gives users:
- An instant status check to ensure things are running smoothly
- Improved visibility and control over actively running Playbooks; making troubleshooting problematic Playbooks easier; and actively managing them much simpler
- Quick checks for reporting on metrics like Top Executed Playbooks and Total Playbooks Executed
Addition of Playbooks Servers
Increasing adoption of orchestration is the goal, but oftentimes what’s forgotten is the improvements on the back-end that must be in place to support this. To prepare for the uptick in Playbooks, ThreatConnect customers can now roll out Playbook Servers that allow them to easily and effectively scale ThreatConnect to handle thousands of Playbook executions per day, while prioritizing what’s important. Each Server is its own machine, and once the Playbook Server is deployed, customers can set up multiple Playbook Workers to handle and monitor concurrent Playbook executions.
Whereas typically Playbooks are sent to the Playbook Queue and grabbed by the Default Playbook Server to be executed, we’ve significantly improved Quality of Service by letting users allocate Private Servers to an Organization for the highest priority Playbooks to get ahead of the queue. You can also enable high availability (HA) by deploying multiple Playbook Servers. If at any point a Playbook Server crashes, the remaining servers take over responsibilities. There is no single point of failure!
Six Workers deployed across three different Playbook Servers. This setup can easily handle six concurrent Playbooks and thousands of executions
to meet the needs of threat intel teams while allowing for high priority Playbooks to execute in real-time.
Priority Setting to Ensure Playbooks Execution
Not all Playbooks are created equal. We know that. You know that. And now the ThreatConnect Platform can know that too. Some Playbooks perform basic enrichments and send routine notifications, while others hunt for mission critical intel and loop in the entire security team about potential major incidents.
Directly from the Playbook itself, users now have the ability to assign a High/Medium/Low Priority setting to each Playbook directly from a drop down menu. Playbooks deemed “High Priority” essentially jump the queue when an action triggers it. Users even have the ability to assign specific servers to only execute high priority playbooks so that one is always available to complete the most critical operations. Think of this as a ThreatConnect Fast Pass!
We all want to make sure the important things are getting done first. We run through prioritization exercises daily, and it becomes even more critical when dealing with security operations. The ability to set Playbooks at different priorities enables the most important things to get done first.
Environment Server Improvements
Environment Servers enable ThreatConnect to communicate with technologies operating on other networks. Although Environment Servers have been present to allow ThreatConnect to communicate with, they’re now what’s called “headless”, meaning that no longer do they need their own user interface in order to successfully work (meaning they’re easier to set up).
ThreatConnect 5.7 removes the necessity of logging into this special UI to deploy Environment Servers. Now, users can download them directly from the UI in an “all-in-one” bundle that can be deployed inside a network.
Environment Server configured and ready for installation and monitoring.
These improvements introduce a new, simplified download of the environment server which translates to a secure and “turn-key” deployment inside your network!
At ThreatConnect, we encourage increased adoption and advanced use cases of orchestration for our customers. That’s reflected in our ThreatConnect Platform capabilities and our dedication to improving backend functionality to support it. Avoid “automation burnout” and ensure that the most critical jobs gets done first and everything gets done fast.