Next-Level Automation: A Conversation with Automox's Cybersecurity Experts

Summary

Maddie Regis speaks with Ryan Braunstein and Mat Lee from Automox's security team about the evolution of automation in security operations. They discuss their career backgrounds, the day-to-day use of Automox for security tasks, and the innovative strategies they employ to enhance automation. The conversation also covers various tools used for advanced automation and concludes with a fun game related to video games and security.

Transcript

Maddie: Hello everyone, it's Maddie Regis, Paid Media Manager at Automox, and I'm back with another episode of Automox Insiders, which is Automox's podcast that introduces you to the people behind the product. So this month, all the pods are talking about next level automation for the most part. And so we've got a couple members of our security team here because they leverage a lot of that. So we've got Ryan Braunstein, our team lead for security operations, and Mat Lee, security engineer. So thanks for joining us, guys.

Ryan Braunstein: Thanks for having us.

Mat: Thanks for having us.

Maddie: Awesome. All right. Well, Ryan, we'll start with you, but I want you each to just give me little bit about your career background, your current role. And I always ask everyone the name of our company you give if it wasn't called Automox. So Ryan, over to you.

Ryan Braunstein: All right, fair. So yeah, I went to school for cybersecurity while I was kind of like touring in the back of a van when I was like in a pop punk band back in the day. And then I jumped into IT because that was just kind of what I could get into at the time. And I just kind of kept applying all that security stuff in that area. And then I came to this company and ended up starting in as a sysadmin, but eventually getting promoted to the security team. It's like my first real, real long-term full-time security gig that wasn't consulting. yeah, that's kind of my journey. It was a wild one. And I guess if I were to change our name to something else, I would go with Automox you know, like around our mascot. Because like right now we have some people, or Automox, I did what other people do, which is why I wanted to change it. Because people keep doing AutoMax and I'm like, that's a car place. That's not us. So yeah.

Maddie: I love it. Yeah, I've definitely got some sales emails from vendors and I'm like, just one letter, missed it by one letter. Yeah, I love that. We love auto here, so that's awesome. Mat, what about you?

Ryan Braunstein: Yep, almost at it.

Mat: Hi, I'm Mat. I started here in IT. My background's mainly in IT. And I've been, was doing IT for almost a decade and then just bugged the right people here and moved over into security and kind of never looked back. So it's been kind of a wild ride. been here, I just passed my four year mark or in a couple of days which feels like I tell everybody like geriatric in the startup world. but what's nice is I started here in one position. And so really I kind of treat it as like two jobs because when I switched over to security, it definitely felt like a career shift. so yeah, that's my background. And I think I was trying to think of some names. you know, I think what's interesting about our product is like,

I would say PatchOps, kind of like the DevOps movement where that blurs the line between development and ops teams. And so we're not, we are a patching company, but we're kind of on that line of like patching plus automation. So that was kind of the first thing that came into

Maddie: Yeah, I like it. Yeah. We're so much more. I mean, patching was our bread and butter. That's how I got started. But I like to say we're so much more than that at this point. okay. Speaking of automation, obviously that's what we're here to talk about today. So we're talking about sort of like next level up level automation, but I feel like in order to kind of understand that from your perspective, we just need to like have an understanding of how you use Automox in your day to day for automation. So kind of just run through the basics of what you all do in the security team.

Ryan Braunstein: Yeah. I mean, so day to day kind of is day to day is very different, I guess, from like our more we do do some one off stuff. But like in our day to day, we a lot of times use it to ensure the health of some of our tools, like make sure certain processes that are involved with the tools are running, make sure maybe a username is registered to the app, like internally or something like that. But then we we also do like some cool stuff like incident-based things like when the XZ vulnerability came out, we had one of our engineers write a whole Automox script to detect that version on any of our devices and generate a .CSV around it, which I thought was super cool to use in the moment. But yeah, I'll let Mat take some more.

Mat: Yeah, and think we also have a couple scripts for incident response and forensics too. So we can gather a bunch of information about the device or kind of what the last state of it was. And then we are looking to run some YARA rules, which will more help us with threat hunting response, kind of detecting threats we are exploring that right now. But I mean, like, what's cool about the product is if you can run a shell script, you can, you know, run basically anything you want, just because we do offer that capability. So kind of the possibilities are sort of endless. I mean, you could even like, and I know I'm kind of jumping the gun here, but I think for just more advanced stuff, you know, you could have an event that fires off some shell script that maybe hits a webhook somewhere that runs something in maybe your EDR or something else that fires off something else. So yeah, it's pretty cool what you can do with it.

Maddie: Yeah, that's awesome. Well, I love it. Let's get into it. What about that? That next level that level up automation, right? Ryan, we'll go over to you first.

Ryan Braunstein: Yeah, so when I first started here and I was like on the IT side, one of our other colleagues, David van Heerden and I, we kind of had this idea to do what's called Worklets on demand where like you put in a ticket and then it triggers an automation somewhere. It's like a self-service like help desk kind of thing. 

As it evolves, started thinking like, how could I make this more secure? And now that like, you know, I'm on this side and I'm able to like look at the different data points that tie a user to their identity. It's like, cool. You can fire this ticket off, have it analyze every single one of those data points and say, okay, this is definitely that person with like a hundred percent confidence. You know, it's, coming from the same IP, same area. Like if there was an attacker, I guess it would be on their device. 

You know, there are ways to like secure that process. I feel like that's like a cool advanced automation is kind of like the verification behind your help desk and also like reducing the load on your actual help desk team. That that's something that I'm like pretty passionate about is elevating the help desk teams and stuff like that to kind of get to that next level by taking some of like that, you know, more granular work off of them. So, yeah.

Maddie: Yeah, for sure. And I mean, I definitely am very aware that the product does that, but it's really interesting to hear you talk about that from a security perspective, because I feel like a lot of times we're focused on the ITOps and not so much the SecOps. So Mat, what else? You got any other fun tidbits of leveled up automation that you will use?

Mat: Yeah, I mean, I think our API is pretty powerful. And so kind of that event-driven automation, if something meets the right conditions, maybe your SOAR will run a script to reach out to our API and run a bunch of policies on certain machines or all your machines or an affected machine. And so I think really utilizing the API to build even kind of more granular automations is a really interesting idea. And I know we haven't fully explored it yet on the security team, but it's kind of on a radar to do that. And I think I also found a blog on it kind of running on demand policies, at least via Windows, kind of some ideas on, you know, cause a lot of our security stuff is event driven. 

So we get, we ingest a bunch of data and if something is anomalous or even an alert from one of our systems, it's pretty cool to take that event, maybe take the host name, some other piece of information and then fire off some automation to remediate something on that host. And I know we use it for some compliance stuff too. like required software, right? And making sure certain things are up to date and kind of things like that. So that would be my advanced automation tips.

Maddie: Awesome. love it. mean, yeah, sounds like, like you said, possibilities are endless. There's lots of different ways to, to leverage it, which is great. So another question for you guys, obviously, you know, we love to talk about Automox on this pod. We love to discuss the product, but are there any other tools that you guys are using over in SecOps for advanced automation outside of Automox?

Ryan Braunstein: I mean, I am and have always been since I even got my hands in the AWS environment, just a sucker for EventBridge and Lambdas. Like there is just such a large volume of things that you can create in there. And obviously it's expensive, it can get expensive, but it's just a ton of fun to integrate systems that way. I'm a sucker for like doing any kind of like, like, cool, we don't have the money to get a solution that covers like...

this gray area here, like creating some middleware solution that like solves for the issue. It's just that makes me feel very happy overall, just creating things like that. So I like to call them like million dollar Legos. So, yeah.

Mat: As it could cost you a million dollars. Let's be real. If it gets out of control.

Ryan Braunstein: You hit the wrong switch.

Mat: Yeah, I kind of agree with that. So we use a lot of Terraform here. And so I think automating all of our infrastructure is done via GitHub Actions, Terraform, things like that. And then we use Rapid7 as our SOAR. So we have some automations in there with if we need to start a new incident, we have a whole Slack bot that can spin up a Slack channel, take notes, put it into our, it's called Iris, which is where we track investigations. And then mean, even Patch Safe, right? We built that as an automation to scan third-party packages for anything malicious, right? So kind of using automation to basically keep the integrity of our supply chain intact because I mean, if we do have something bad in a third-party package, and that gets passed to customers. Who's going to be blamed for that? So it's just one other layer that we're using automation for to increase our value and really keep our customers safe.

Maddie: Yeah, I didn't even think of Patch Safe that way, but you're totally right and that's awesome.

Ryan Braunstein: Yeah.

Mat: But other than that, just we use a lot of Python around here for one-off scripts. We use some shell scripting, kind of help IT with some scripts. anything, I think when Ryan started, was like, anything. Zapier is an amazing tool. I don't know if it totally scales well, but for our use, maybe now.

Maddie: Cool.

Ryan Braunstein: You are Zapier. You're a big Zapier guy. Hahaha! I think it might actually, it may actually cover that, yeah.

Mat: But yeah, mean, when I started, it was a Zapier empire that Ryan walked into because we were trying to make sure that anything manual just didn't have to be done. It was more centered around new hires. was submit a form, accounts get created. We solved a problem with tracking numbers and tying that to a new hire and their personal emails so we wouldn't have to send those out manually.

Ryan Braunstein: Yeah. And then I built Hades and Gaia in Okta workflows. Like those are our like onboarding, offboarding, like the one creates life one, you know.

Mat: Yeah, and I think it's anything that is manually done and 99.9% of the time be automated. So if you find yourself doing a task, right, like if you're doing a task over and over, even if it's only, you know, five minute task, think about how much time you save over a year with just automating that thing. So that's hours and hours.

Ryan Braunstein: Yeah, with a human eye above it, you know? Yeah.

Maddie: Yeah, right.

Ryan Braunstein: Yeah. Yeah, and there's an equation for that too. I remember when I was taking a Python course years ago, there was a whole course like why or like, you know, the value of an automation was like time spent versus, I don't know, I can't even remember it. But there is an equation, I highly recommend people check it out.

Mat: Yep. So.

Maddie: Yeah, for sure. it's, I mean, you know, it's just all about what else can you do with that saved time as well, which is then another value add. So yeah, absolutely.

Ryan Braunstein: Yeah. Yeah. And I think that's like, there's like all that fear. I feel like people are really afraid to actually automate themselves out of a job, but they don't realize that like AI, all that stuff, it's still going to need a person overseeing it. Like you're trying to make your job lighter, not easier, but lighter so that you can do bigger things, more effective, more nuanced things that you couldn't just automate, like things that need a more direct human touch to. So. That's my opinion. Yeah.

Maddie: Yeah, 100 % agree. All right, awesome. Well, that's all the chit chat I've got about automation, but I do always end this podcast with a game and we're actually recording on the day of National Video Games Day. So it's gonna be a little silly, a little cheesy, but I tried to tie some SecOps activities into some certain popular video games. So we'll see, we'll test your knowledge, see how you do. All right.

Mat: Sweet.

Maddie: So this first question, this one's gonna be multiple choice because I figured I'd be nicer to you guys for that. reducing time to patch is obviously a top priority for SecOps and ITOps teams. You guys have a need for speed, which is similar to a certain overalled plumber and his friends when they race. So the first question is, when was the first Mario Kart game released? Is it, do you know it off the top of your head?

Ryan Braunstein: Ooh, has to be 19... sorry. it's multiple choice. I'm guessing 1994. 1996.

Maddie: You're close, you're close. It's 1992, so we'll give it to you. I would say you're in the right range, because, yeah.

Ryan Braunstein: Okay. I'll be more patient on this next one. I just jumped on in there. I'm so sorry, Mat. That's on me. All right? Like...

Mat: I mean, I was going to say 1991, so I was closer than you.

Maddie: yeah, would have been Price is Right rules. He would have been closer without going over.

Ryan Braunstein: I think I was thinking of Mario Kart 64, which I think was definitely in the '96 territory, but yeah. Not the Super NES one.

Maddie: Yeah, for sure. Yeah, the OG, very first. All right, so on to the next question. And again, it's whoever goes first, but you guys, you both get the points. So you're often scanning for vulnerabilities, just like the characters in The Last of Us are scanning for fungi-infested zombies. So what is the name of the main male character in The Last of Us?

Ryan Braunstein: Yeah. hang them back, all right?

Maddie: All right, Ryan.

Ryan Braunstein: You that?

Mat: I I is it Joel Joel

Ryan Braunstein: That's it. That's the one. Because it's not just an iconic video game. It is an iconic HBO series now. Maybe you've seen that.

Mat: I don't know how I knew that. I don't think I've played those games.

Maddie: Yeah, but I… It is, that's true. It's expanded beyond the video game world, that is true.

Ryan Braunstein: It's incredible. It's one of my top, Last of Us Part II is like my top favorite video game of all time right now, so.

Maddie: Yeah, it's pretty amazing. like it a lot too. All right, final question. So the SecOps team is constantly making improvements to infrastructure and just in general. Obviously we talked a lot about that today and that's similar in the game series, Animal Crossing. It's kind of one of the things that you do as a player. So what game system was Animal Crossing New Horizons made for?

Ryan Braunstein: Yeah. I know this, Mat, but if you...

Mat: I might, why don't you go for it? I'll see if I'm right.

Ryan Braunstein: Alright, I'm pretty sure New Horizons is the Switch one, not the Game Boy Advance or 3DS one. Yeah. Yeah.

Mat: I was gonna say Switch.

Maddie: Yep. You guys are right. Yeah, that was the one that came out. gosh, it was right, right before 2020. Yeah. Yeah. So that was a good. Yep.

Ryan Braunstein: during the pandemic. It was during the panini, you know? So yeah, it was this terrible panini. Yeah, I would not order that panini again. So yeah.

Mat: The panini. Worst panini ever.

Maddie: That's true. Definitely not. Yeah, not one I ever need to see again. All right, awesome. Well, Mat and Ryan, super great to have you guys on. Thank you so much for the insights and the video game knowledge as well. And to everyone listening, keep an eye out for a new Autonomous IT podcast every Tuesdays and Thursdays.

Mat: Nope.

Ryan Braunstein: Thanks for having us. See ya.

Mat: Awesome. Thank you so much.