This post was previously published on The New Stack
When you hear the term “chatbot,” your mind may at first turn to things like robotic customer support services on retail websites – a relatively mundane use case for chatbots, and one that is probably hard to get excited about if you’re a security engineer.
But, the fact is that chatbots can do much more than provide customer support. They can also do things like streamline security automations and help teams to work together more efficiently when identifying, researching and reacting to threats.
If that’s not exciting to security engineers, we don’t know what is. Keep reading for details on how chatbots can help security teams work smarter and faster, while also maximizing the benefits of other security automation tooling they have in place.
What Is a Chatbot?
A chatbot is an automation tool that can disseminate information, facilitate conversations and/or undertake actions in response to commands.
Some chatbots are designed to simulate human actors, meaning they are supposed to be able to have conversations that are similar to those you could have with an active human. However, not all chatbots work in this way, (and those used for security automation usually don’t). In a more generic sense, a chatbot is any type of tool that helps to streamline conversations, not necessarily a tool designed to simulate human conversational intelligence.
How Security Chatbots Work
In the context of security operations, chatbots can be deployed to initiate and manage conversations among human actors about security activity.
For example, a security chatbot could be configured to announce in a Slack channel that a security risk has been detected. From there, engineers who are part of the Slack channel could ask the chatbot for further information about the threat, such as which logs are associated with it or what the severity level of the threat is. In some cases, they may also be able to issue commands to the chatbot to direct it to take automated actions, like blocking an offending IP address.
When chatbots are used in this way, they enable a ChatOps approach to security operations. ChatOps is a practice that uses automated chats – meaning conversations between human and machine actors – to streamline workflows and the sharing of information.
The Benefits of Chatbot Automation for Security Operations
By leveraging chatbots for automation in this way, security teams gain a range of benefits:
- Centralized communication: Chatbots help to provide a centralized communication interface that all stakeholders can use when researching a security incident. Since interactions with the chatbot are visible to multiple actors, information is as visible as possible, and everyone can track the status of security incident response.
- Simplified response: Instead of having to sort through backend systems manually to view context about security events, engineers can ask chatbots directly to provide that information in a shared channel. Not only does this save time, but it also helps to ensure that everyone sees the same information.
- Always available: Unlike human engineers, chatbots never sleep – or even get distracted. That means that they can instantaneously announce new threats or updates on an existing security workflow, regardless of the time of day or who is on call.
- Record of response: The chat that chatbots facilitate becomes a record of the actions taken in response to an incident. If you need to determine who did what after the fact, you can use your historical chat data to do so.
In all of these ways, chatbots and ChatOps effectively serve as a front door to security automation. Although chatbots on their own don’t enable full security automation (for that, you need a security automation framework), they provide a centralized, user-friendly interface that stakeholders can use to request information or trigger automated security workflows.
Getting Started with Security Chatbots
What makes chatbots even better in the context of security is that they are relatively easy to set up. And if you have a security automation tool like Torq, you can take advantage of built-in integrations with chat platforms like Slack or Teams to deploy bots in just a few steps.
Once deployed into the chat system of your choice, chatbots provide a frontend for interacting with the rest of your security automation framework. You can also configure custom commands (like Torq slash commands), which your team can then use to trigger whichever actions they want from your chatbot.
You don’t need a chatbot to take advantage of security automation. But, chatbots can help you to take maximum advantage of other security automation tools you’ve deployed. They centralize security operations and maximize visibility, no matter which communication tools your team uses.