How the interconnection of orchestration tools, Phantom and Ansible Tower can automate your incident response, data collection, corrective action and notification.
At World Wide Technology (WWT) we work closely with our customers and partners to increase the adoption of infrastructure automation and orchestration. In one of our recent collaboration sessions with F5 Networks, we discussed the different automation maturity levels in the industry.
The stages of maturity
At the entry stage of the automation journey, most organizations use basic procedural scripting intended for a specific function, with little consideration to code modularity. The next stage is using tools like Chrome Postman to start using REST APIs for creating and sharing collections of workflow within a team.
Then an adoption of an automation framework, like Ansible, is put in place to focus more on the design plans and playbooks. In this phase, organizations also use modules that ship with Ansible, as well as those written in-house or in the public domain, to configure various assets in the workflow. At this point, the focus turns to deploying an enterprise orchestration framework, like Ansible Tower.
The highest level of automation maturity involves interconnecting orchestration tools.
WWT has developed a way to integrate Phantom Cyber – an incident management, security automation and orchestration software framework – with Ansible Tower. The goal of this integration is to position Ansible Tower as an orchestration blaster in responding to security incidents. You can accomplish this by developing a Phantom app that can launch playbooks using the Ansible Tower API.
You can also use this integration to run a playbook invoking Ansible network modules to configure a remote trigger black hole (RTBH) route in a Cisco router. By leveraging Ansible Tower, the security operations team can quickly mitigate a security incident from the Phantom user interface.
This pairing of Phantom and Ansible can also serve as a good tool for responding to a suspected data exfiltration. For this response, a Phantom playbook launches a job in Ansible Tower, programmatically updating the atomic counter configuration of a Cisco ACI fabric. The Ansible module uses the REST API of the Cisco Application Policy Infrastructure Controller (APIC).
The interconnection of these systems and workflow is shown above in the topology diagram.
In this diagram, you can see the security operations staff initiates a Phantom action or playbook to launch a job in Ansible Tower. Tower downloads the version controlled playbook from a Git server, adding an atomic counter to the ACI fabric. The atomic counters monitor traffic to the suspected exfiltration hosts IP address. An additional application continuously queries all configured atomic counters on the ACI fabric and updates a security incident if data exfiltration is observed. This provides feedback to security operations.
Putting it all together
Automation and orchestration has been the purview of cloud computing and system administration, but now is increasingly important to security operations and network administration. By automating the data collection and corrective action component of incident response, significant time savings can be realized. Corrective actions often need to be applied to multiple assets in the organization. The interconnection of orchestration tools, Phantom and Ansible Tower can automate your incident response, data collection, corrective action and notification.