Balancing the “Trinity” through the lens of SIRO
Hello fellow readers ~
Today we would like to share some insights on what a Security Incident Response Officer (SIRO) is doing on a day-to-day basis, and also how the SIRO leverages tools and workflow to balance the “Trinity” of the Cybersecurity operation. This is part 1 of the “Balancing the Trinity through the lens of SIRO” series which covers the theory and reasons why we embark on this journey.
SIRO and “Trinity”
First of all, SIRO is the officer who will be handling both the offensive (e.g Penetration Testing) and defensive activities (e.g Incident Response, consultancy) in his/her day-to-day operation.
Now that you get the gist of what SIRO is, you must be wondering what is this “Trinity” about?
“Trinity” (in Team Merlin’s context) is about the area of operations the Team Merlin’s SIRO have to operate in the day-to-day operation. The below diagram gives an idea of the area of operation that a SIRO has to do that ranges from offensive to defensive activities.
Since the various operations are time-consuming and require dedication to every single item that are inside the individual sector of the area of operation, there’s a need to streamline some of the common activities through usage of tools to enhance the workflow. With these increased requirements, Team Merlin’s SIRO sets out on a quest to streamline the workflow through usage of tools. The following diagram gives an overview of the “quest line” the SIRO will be embarking on.
The quest to streamline the “Trinity”
In order to streamline the “Trinity’’, we decided to do some mapping of the different issues with the 3 identified areas of operation:
Once we’ve completed the breakdown, it’s time to look for tools that can fit into the workflow we’re trying to create. After a few trial and errors, we managed to find that ProjectDiscovery and BishopFox have the potential to allow us to have the right set of tools to create the workflow.
With the tools identified, the next stage is to use these tools to “blend” into our workflow.
“Blending” the tools into workflow
One of our workflows is the simplified Vulnerability Assessment, which performs the following on the target:
- Active and Passive information gathering on both infrastructure and web application
- Crawling of contents
- Discovery of vulnerability
- Reporting of vulnerability
With this workflow identified, the process of “blending” the tools into the workflow begins. As with every new spiking, this process took the most effort as it involves fixing, integrating, testing, and verification of the tools with existing CI/CD pipeline to ensure that we can run it on GitLab. Below is the result after “blending” the tools into the workflow.
After months of spiking and testing the workflow, we have operationalised the workflow and it is being set up on GitLab and with just two specific pieces of information, the pipeline will be able to run through the workflow and generate the result.
The end result of the workflow:
In this article, we shared the reasons why we embark on this journey of improving and enhancing the area of operation through the usage of tools and workflow. As you can see, the streamlining and “blending” of tools into workflow can help to achieve the following:
- Allows automation of repetitive tasks
- Streamline the tools to be used
- Lesser learning curves on the tools to be used
- Easier management and patching of the tools used
We hope that with this article, this will help you to start the journey of streamlining all these tasks to achieve an efficient operational capabilities. In the next article, we will deep dive into the “brain” and the blueprint that powers the whole workflow.
Do share and discuss in the comment section below on your own experiences. Till then, stay safe and keep learning!
🧙🏼♀Team Merlin 💛
Application security is not any individual’s problem but a shared responsibility.
Balancing the “Trinity” through the lens of SIRO was originally published in Government Digital Services, Singapore on Medium, where people are continuing the conversation by highlighting and responding to this story.