Playbooks bring Security Orchestration Automation and Response (SOAR) capabilities to the C3M Cloud Control Platform. It helps streamline the security operations via a flexible, customizable, and extensible framework that can support multiple remediations or actions for cloud entities.
The Playbooks capability is available for AWS, GCP and Azure
The Playbook Framework
Now, let’s look at some actions that come bundled with Playbooks:
Perform actions on cloud resources
Remove Public
Access to a EC2
Encrypt a
S3 Bucket
Add tags to supported resource types etc.
Notifications on policy violations
Creating incident
tickets
Push violations to
SIEM tools
Administrators can define a playbook using a combination of all these actions and that is where the real power of the playbooks kick in.
A real-life example
Let’s look into a day in the life of Joe who is a Data Security Analyst at XYZ Company. Joe and his team are responsible for managing and monitoring the data security posture across AWS, GCP and Azure infrastructures (3 clouds that XYZ Company uses)
Below are the steps that Joe and team follows when they get an alertfor Storage Buckets in AWS
Receive an alert that a S3 bucket is exposed to the public internet.
Look up the S3 Bucket configurations and do a root cause analysis.
Manually resolve the violation by following a set of instructions.
Log and record this change in some ticketing system, so that it can be tracked and reported.
Notify a set of administrators or project owners about the violation and the remediation that was applied.
NOW REPEAT SIMILAR STEPS FOR ALL RESOURCES THAT COME TO HIS QUEUE
Net effect
Joe is flooded with requests, and since the changesare manual the probability of another misconfiguration creeping in cannot be ruled out and as we are all humans – Joe ends up missing one or the other step….
NOT A HAPPY PICTURE
Now let’s look at the same set of events, but this time – with the help of playbooks in C3M Cloud Control.
THE NEW PROCESS WILL LOOK LIKE THIS
Joe defines a S3 Bucket Playbook and selects cloud security policies that can trigger the playbook. Example – S3 bucket exposed to the public internet
As part of the playbook definition, Joe defines 3 automated actions.
-
Remediate the S3 public exposure (happens via an API call)
-
Remediate the S3 public exposure (happens via an API call)
-
Send an email to the Data Security Admins
Joe saves the playbook definition. That’s literally it.
From now on, all detected S3 Bucket violations will automatically trigger Joe’s playbook which in turn will ensure the following
The S3 Bucket violationis remediated (automatically)
A ServiceNow ticket iscreated to trackthe same
Data Security Admins are notified via email.
NET RESULT
Joe is happy and XYZ Company has a robust response mechanism for data misconfiguration threats
Extensible Framework
Customers can also choose to extend the playbook functionalities by writing their own custom actions. Custom Actions can be written using the serverless framework (AWS Lambda, GCP Functions and Azure Functions).
Customers can also choose to extend the playbook functionalities by writing their own custom actions. Custom Actions can be written using the serverless framework (AWS Lambda, GCP Functions and Azure Functions).