Large Austrian Company

Automatic handling of IT security incidents

Challenge

  • IT security incidents are processed manually by highly paid specialists.
  • Experts spend a lot of time doing copy-paste work.

Solution

  • Automation of 80% of the process steps for two common IT security incidents: data breach and phishing emails.

Result

  • Time savings of up to 4 hours per week for highly paid IT security experts.
  • Faster and error-free processing of data breach and phishing email incidents.

What was Automated?

Phising

Integration of Cloudomation with an Office365 email inbox, where phishing and other malicious emails are reported by the client’s over 1000 employees. Cloudomation continuously monitors the inbox. Upon receiving an email, the automated process is triggered. Cloudomation extracts all links and attachments from the email and sends them to two analysis tools: JoeSandbox and VirusTotal. Across the company, the Office365 email inboxes of all employees are searched for emails with the same subject or content. A ticket is automatically created in the Redmine ticketing system and assigned to an IT security specialist.

Data Breach

The client subscribes to two services that monitor international data breaches and provide information about data breaches to their customers: Have I Been Pwned (HIBP) and Spycloud. Have I Been Pwned and Spycloud send notifications about data breaches via email to customers. This triggers the automatic process in Cloudomation. Affected emails are identified, a ticket is created, and assigned to an IT security specialist.

All the Details About the Automation

Phishing email incidents:

  1. Connection of Cloudomation to an Office365 e-mail inbox, to which phishing and other malicious e-mails are reported by more than 1000 employees. Cloudomation continuously monitors the inbox. The automatic process is initiated when a phishing or malicious email arrives.
  2. Cloudomation extracts all links and attachments from the email.
  3. Cloudomation transfers links and attachments to two analysis tools: JoeSandbox and VirusTotal.
  4. Cloudomation searches the Office365 email inboxes of all employees company-wide for emails with the same subject or content and thus identifies other recipients of the malicious email.
  5. Cloudomation creates a ticket in the Redmine ticketing system. Cloudomation documents the following information in the ticket:
    1. The email itself and the person who reported the email.
    2. The analysis results from JoeSandbox and VirusTotal.
    3. All other recipients of the e-mails that were identified.
  6. Cloudomation assigns the ticket to an IT security specialist for further processing. The specialist uses his/her expert knowledge to decide how to proceed. This means that IT security specialists concentrate on activities that require their expertise and knowhow. 

Data breach incidents:

  1. Customer subscribes to two services that monitor international data breaches and provide information about data breaches to their customers: Have I Been Pawned (HIBP) and Spycloud.
  2. Have I Been Pawned and Spycloud send notifications of data breaches to customers via email. This triggers the automatic process in Cloudomation.
  3. Cloudomation reads out the information about data breaches from notification emails:
    1. Have I Been Pawned: csv with data is downloaded and processed by Cloudomation.
    2. Spycloud: data are read out via API.
  4. The data from both services are searched for the customer’s domain name in order to identify affected e-mail addresses.
  5. Data are compared with the customer’s Active Directory database to identify employees’ user names.
  6. A ticket is created in the Redmine ticketing system. The data breach reports from Have I Been Pawned and Spycloud are attached. The results of the search are also documented in the ticket.
  7. Cloudomation assigns the ticket to an IT security specialist for further processing. The specialist uses his/her expert knowledge to decide how to proceed. This means that IT security specialists concentrate on activities that require their expertise and knowhow. 

How did we Develop the Automation?

Cloudomation was installed on-premise in the customer’s data center. After half a day of training, the customer took over operation and maintenance of the platform, as well as developoment of flow scripts. Cloudomation experts provide support on demand. 

What are the Next Steps?

  • Partial automation of further IT security processes that are currently carried out manually.
  • Extension of the automatic processes into steps that can be standardized, e.g. automatic deletion of malicious e-mails from the inboxes of all employees.

Meet Your New Platform Engineering Tool

Streamline operations, optimize collaboration, and deliver faster. Let’s discuss how our platform can help you overcome challenges and hit your goals.

Book a free call