Tools for Working From Home

holly_wilsey · April 21, 2020, 4:14pm

Working from home presents its own set of challenges for teams when it comes to security operations. Let’s use this as a place for sharing some of the tools or strategies we’re using to help manage security-related matters when we’re working from home.

One of the more common themes we’ve seen recently is using the ChatOps feature in InsightConnect workflows to perform tasks via Slack or Microsoft Teams. What this means is that you can enter a short command in your chat window to do whatever it is you’re looking to do, and that will activate the corresponding workflow to take care of the task. The task could be anything from performing a password reset to retrieving vulnerability info, to doing indicator enrichment, and more. It makes it easy to quickly knock a bunch of repetitive items off your to-do list.

What strategies or tools help you the most when trying to manage security operations while working from home? Or on the flip side - is there something security-related you’re trying to figure out how to do effectively when working from home? Maybe folks here can help!

Aniket-Menon · May 11, 2020, 3:19pm

Bob Rudis (R7’s Chief Data Scientist) wrote a super insightful post here: https://blog.rapid7.com/2020/05/11/optimizing-security-in-the-work-from-home-era/

david_bouchard · September 2, 2020, 5:09pm

We’ve got a pretty small Security IR team. When we got InsightConnect, I imported the open source indicator enrichment workflow. I’ve got it listening on a private channel in Teams. I’ve continued to add to it and it has made my job a lot more fun. I’ve added integrations with BigFix… with one I can enter a user’s login name it it will return a list of all the computers the person is logged into. I can also deploy specific software (or patches) to a machine. For example, we have the enterprise edition of MalwareBytes, but only deploy it as needed (we have a different product for our primary endpoint protection). Now, I can deploy MalwareBytes to a specific endpoint using BigFix from Teams. That’s pretty fun. Oh, and to make it more fun, I’ve renamed the trigger from “enrich-indicator” to just “dude”. In my Team channel, I can type “dude mwb comp1” and it’ll push MalwareBytes to comp1.