Name: Friday Flows Episode 7: Elastic Alert Response with Cases & Slack
Start: 2023-10-03T14:09:00Z
End: 2023-10-03T14:09:13.000Z
Location: BrightTALK

Smart, secure workflows for your whole team. The world's best companies
— from startups to the Fortune 10 – trust Tines to powerfully manage their
mission critical workflows, automatically responding to and remediating
alerts in real time.

In today’s Friday Flows, Conor Dunne, from the Tines Labs team, walks us through a new story using AI to create cases and act on CrowdStrike alerts.

As is the case with many alerts, there’s a lot of information, but it’s not always very clear. He first uses AI to simplify & normalize the data.

Once that is done & a case is created, we can also use AI to act as a security analyst and respond with one of four actions:
Suspend a user account
Isolate a host
Block a URL
Alert the security team using PagerDuty

In this demo, the AI was confident enough to block the URL, so it took action. If the confidence is not high enough, it will provide a recommendation but allow the analyst to take action manually.

I love this example because it’s a natural evolution of stories that Tines users have built for years: take an alert, enrich it, create a case, and help an analyst act. But with the developments in AI, it’s now much easier to parse the information & act with fewer manual steps.

Friday Flows Episode 28: Use AI to create cases and act on CrowdStrike alerts

We're excited to bring you another workflow from the Tines library and to introduce your new Friday Flows host Cameron Higgs! The legendary Blake Coolidge is handing over the reins for a season but he'll be back on your screens before too long.

In this episode, Conor Dunne walks Cameron through a workflow that pulls leads related to the Amazon Web Services (AWS) environment flagged by Hunters and searches for users with unauthorized permissions.

Friday Flows Episode 27: Disabling AWS User from Hunters Alert with Jira Prompt

Tyler Talaga, Staff Engineer at MyFitnessPal, is one of the early adopters of Tines' AI capabilities.
In this special "Wednesday Workflows," Tyler walks through a story he built to improve the visibility of Change Control requests.
This workflow routes Change Control requests to Slack with a detailed summary provided through the AI Action, helping the team quickly approve (or deny) a change.
The MyFitnessPal team is building many new, helpful automations with the AI capabilities, including one to summarize vulnerabilities fixed in MacOS updates. An automatic transform parses out the raw HTML in Apple's release notes, kicks a table to an AI action to evaluate for a particular link, and then passes to another AI action to rank vulnerabilities based on risk & provide the notes to the security team.
Big shout out & thank you to Tyler & the extended MyFitnessPal team for their continued innovation!
If you'd like to see a Tines demo with the newest AI features, you can request one here: https://www.tines.com/book-a-demo

Friday Flows Special Edition: Change Control with AI Summary

Stephen O’Brien, Head of Product, will walk through our journey to introducing AI in Tines. He’ll cover key questions you asked us, and the ones we asked ourselves as we tested and iterated with this innovative technology.

Journey with AI from research to practical implementation
Best practices with interacting in Tines
Next steps for AI in Tines
We’re extremely excited about the usability improvements we built and how they’ll reduce friction for both our advanced and novice users alike. Register for the webinar to learn more.

AI in Tines | Product Spotlight

In this week’s episode of The Future of Security Operations podcast, Thomas is joined by Nicolas Chaillan. Nicolas is a security leader who has held several high-profile roles in US federal agencies including Chief Software Officer for the US Air Force and Space Force, Special Advisor for Cloud Security and DevSecOps at the Department of Defense (DOD), and Special Advisor for Cybersecurity and Chief Architect for Cyber.gov at the Department of Homeland Security. He is also the founder of no less than 13 companies, including Ask Sage, a GPT-powered platform that brings Generative AI capabilities to government teams.

Nicolas and Thomas discuss:

- Building the US government's first zero trust implementation

- Putting Kubernetes on jets and space systems

- The challenges of bringing new technologies to the federal government

- How the threat landscape will continue to evolve for US federal agencies

- The biggest mistakes entrepreneurs make

- How cross-team collaboration helped him create meaningful change at the DOD

- The future of AI in security

- The inspiration behind his AI-powered platform, Ask Sage

The Future of Security Operations is brought to you by Tines, the smart, secure workflow builder that powers some of the world’s most important workflows. https://www.tines.com/solutions/security

Sage's Nicolas Chaillan on moving the DOD to zero trust and deploying Kubernetes

In this week’s episode of The Future of Security Operations podcast, Thomas is joined by George Griesler. George has been working in cybersecurity since 1997, when he assumed the role of Senior Network administrator at the United States Golf Association (USGA), eventually advancing to Director of Information Security. He currently serves as the Senior Director of Cybersecurity at the National Football League (NFL), where he works to secure events like the Super Bowl, which in 2024 was the most-watched telecast ever.

George and Thomas discuss:

- What security operations looked like in 1997
- Protecting the secrets of regulation golf equipment at the USGA
- The shift in security and privacy needs at live sports events
- Securing scents, flavors, and other chemical formulations at IFF
- Preparing for Super Bowl LXXVIII in the wake of the MGM Resorts cyber attack
- The Super Bowl threat profile, from scoreboard hacking to stadium credentials
- Collaborating with cybersecurity experts from CISA, the FBI, Caesars Palace, and the MGM Grand.
- Aligning security operations with physical security
- The reality of working on high-pressure events
- The benefits of knowledge sharing with other teams working on live sports events
- The importance of relationship building across internal security teams:
- The potential of automation, orchestration, and AI in incident response

The NFL's George Griesler on securing the Super Bowl and reducing risk

Don't have a technical background, but want to create automations that can help your daily work?

Check out Tines University: https://lnkd.in/eVuaVKbd

Andrew Lee, a Business Development Rep here at Tines, recently completed the certification & learned how to create Tines stories. In this Friday Flows, he walks through an API Pagination story to grab Star Wars characters.

No matter your skill set, it's easy to get started. In a matter of weeks, you'll be prepared to build powerful workflows and start reducing mundane, repetitive tasks.

Friday Flows Episode 25: API Pagination with Andrew Lee

Intercom moved from taking 2 months to build a workflow to taking 2 hours using Tines.

Join us as we explore how Intercom’s IT team used Tines to boost efficiency by overhauling their workflows.

As well as using Tines for themselves, the IT team provides the guardrails by which they can share Tines with other teams in their business and allow these teams to automate their own workflows without worrying about compliance, sensitive data etc.

What to expect from the webinar:

A summary of how Intercom used to build and manage workflows compared to what they are doing now with Tines.
How Tines can help your IT infrastructure/IT support/ Cloud Security/ Customer solutions teams.
Q&A session with Tines and Intercom to answer your questions

Intercom's Journey to an IT Automation Center of Excellence

In this week’s episode of The Future of Security Operations podcast, Thomas is joined by Adam Khan. Adam is a cybersecurity and technology leader with over 25 years of experience working at Fortune 500 companies. He has a proven track record of building and managing global security teams, leading engineering, infrastructure, application, and product, and is currently VP of Global Security Operations at Barracuda.

Adam and Thomas discuss:
- Building discipline and resilience by working on SRE teams
- How a well-known DDoS attack changed his career path
- Using automation to reduce alert fatigue
- Strategies for plugging the security skills gap
- The potential of AI-driven XDR
- How cyber attacks are evolving in the age of AI
- Lessons learned from researching the history of cybersecurity
- Empowering teams to do their best work
- Creating a culture of continuous learning

Barracuda's Adam Khan on AI-driven XDR and plugging the security skills gap

93% of security practitioners believe that more automation would improve the work they produce.

Join us as we explore how Mars used Tines & Wiz to identify and remediate security risks within their cloud infrastructure with automated workflows. Along with insights on how to leverage Tines and Wiz, webinar attendees will hear directly from Mars about the impact these platforms have had on their business resilience and security culture.

What to expect from the webinar: A panel discussion covering:
- How Tines and Wiz can improve cloud security and reduce friction in current processes
- Insights from Mars on their investment in enhanced detection and response
- How companies can use these insights to operationalize cloud detection and response across their - teams and make security a team sport
- How to set security goals that are visible across the C-Suite
- Q&A session with Mars, Tines and Wiz

Remediating Mars’ Cloud Security Risks with Wiz and Tines

In this week’s episode of The Future of Security Operations podcast, Thomas is joined by Matt Johansen. Matt is a security veteran who has helped defend startups, the biggest financial companies in the world, and everything in between. Alongside his day job as Head of Software Security at Reddit, he teaches companies how to protect against cyber attacks, and coaches entrepreneurs and CISOs that need help with infrastructure, application, cloud, and security policies. He also writes Vulnerable U, a weekly newsletter that talks about embracing the power of vulnerability for growth.

Thomas and Matt discuss:

- Moving from a large security team at Bank of America to a small one at Reddit
- Embracing scrappiness and doing more with less
- Overcoming sunk-cost fallacy
- Why the 2014 Sony hack was a pivotal time for AppSec
- Running the threat research centre at White Hat
- What he looks for when hiring in AppSec, the SOC and beyond
- His decision to start creating content about mental health in security
- Moving past imposter syndrome
- Renouncing superhero culture
- Paved paths and guardrails, and what comes next after "shift left"
- Lessons learned from Reddit's 2023 security incident
- The power of automating incident response

The Future of Security Operations is brought to you by Tines, the smart, secure workflow builder that powers some of the world’s most important workflows. https://www.tines.com/solutions/security

Reddit’s Matt Johansen on renouncing superhero culture

Great Friday Flows today with Conor Dunne. He built this story to send notifications when a new device is enrolled in Jamf, check CrowdStrike to see if the device is also located there, and respond to a Slack thread with the findings.

They have impressively:

Reduced workflow build time by 95%, compared to Python
Have 4x more team members automating
Saved 150 hours in the first month of using Tines

Friday Flows Episode 24: Verify Crowdstrike is present on new devices in Jamf

This week on The Future of Security Operations podcast, Thomas is joined by Prima Virani. Prima is a security engineer who worked across industries as varied as oil and gas and Fintech before becoming Principal Security Engineer at Twilio. With over a decade of experience spanning infrastructure security engineering, incident detection and response, and forensics, she's also shared insights at countless security conferences around the world, including SecTOR Canada and Agile India.

In this episode, Prima and Thomas discuss:

- The unique challenges of working in forensics
- Her transition to detection and response and cloud security
- Building a security detection framework at Segment
- Reducing mean time to resolve through automation
- Using data to prioritize which processes should be automated
- Merging teams and technologies when Segment was acquired by Twilio
- Joining the securing platform engineering team at Twilio
- Designing a challenging and varied career in security
- The influence of mentorship on career growth
- Democratizing security through knowledge sharing
- How security will change in the next five years

Twilio's Prima Virani on tackling burnout through automation

"This is a great example of the power of Tines. You can automate something simple, but also very manual & time-consuming."

Michael Tolan continues our cloud security series & walks us through a workflow to easily identify and manage Azure Entra ID guest accounts detected by Wiz. In seconds, take action by disabling or deleting any undesired guest accounts via a Tines page.

Friday Flows Episode 23: Retrieve and respond to Azure guest accounts with Wiz

On this episode of The Future of Security Operations podcast, Thomas is joined by Andrew Santell. Andrew is an experienced security leader who worked for the U.S. Navy for over a decade before moving into the private sector. In 2021, he founded the Security Operations program at Netflix, and recently, he joined edge cloud platform Fastly, where he is the Director of Security Operations and Cyber Defense.

In this episode, Andrew and Thomas discuss:
- Navigating the unique challenges of the Navy, from log management to prioritization
- Making the leap from the Navy to tech
- Building a security operations team and program from scratch at Netflix
- Red teaming phishing response playbooks at Netflix to test their effectiveness
- Recognizing the value of good processes
- Why teams should design processes first, automate later
- Creating a feedback loop between teams at Fastly
- How “shifting left” has helped Andrew’s team reduce vulnerabilities
- Using automation for risk assessment at Fastly
- Andrew’s approach to incidents like the Log4J vulnerabilities 
- Why growth in the vendor market is a good thing for practitioners 
- Why automation should be a requirement, not just a best practice
- What advancements in AI mean for threat detection
- The importance of risk-based decision-making
- The potential of self-remediation 
- Why good security leadership starts with taking care of your people

Fastly’s Andrew Santell on going from the Navy to Netflix

A fundamental pillar of cybersecurity continues to be employee education & awareness.

Today's Friday Flows features an easy way to test your employees & teach them to keep an eye out for suspicious emails.

This Tines story created by Conor Dunne grabs a list of employees from your HR system and sends them a simulated phishing email. A Tines Case will be created to track if a link in the email is clicked.

Friday Flows Episode 22: Run a Simulated Phishing Attack on your employees

To kick off season 5 of the Future of Security Operations podcast, Thomas is joined by Mandy Andress. Mandy is the Chief Information Security Officer at Elastic, a leading platform for search-powered solutions, and has more than 25 years of experience in information risk management and security. Before Elastic, Mandy led the information security function at MassMutual and established and built information security programs at TiVo, Evant, and Privada. She also founded an information security consulting company with clients ranging from startups to Fortune 100 companies.

In this episode, Mandy and Thomas discuss:

- Her move from accounting to security 
- Why she was drawn to Elastic's employee-centric culture
- How her role at TiVo in the early '00s shaped her view of privacy
- Switching from a technology-first to people-first approach to security
- Recognizing the human factor in incident response 
- Embracing asynchronous operations on dispersed teams
- The importance of bringing your authentic self to work 
- Staying technical as you move into leadership
- How she puts her law degree to use as a CISO
- Balancing compliance and overall security posture
- Collaboration and knowledge sharing within the CISO community
- Elastic's approach of knowledge sharing by default
- How prioritizing analyst time will be critical in the future of SecOps
- Adopting an infrastructure-as-code approach
- Balancing between proactive security measures and reactive responses
- Building a culture of security across the organization
- Tips for surviving in security operations in tech

The Future of Security Operations is brought to you by Tines, the platform that powers some of the world’s most important security workflows. https://www.tines.com/solutions/security

Elastic's Mandy Andress on switching to people-first approach to security

Learn more about one of our most popular workflow templates: Onboard Employees & Grant Access to Specific Tools where Conor Dunne shows how easy it is.

Friday Flows Episode 21: Onboard Employees & Grant Access to Specific Tools

Launching an AWS EC2 instance can be done in seconds, but are they being set up securely for success?

In today's Friday Flows, Michael Tolan helps us celebrate the 700th Tines Story Library addition with a look at a customer submitted workflow to audit and remediate default security groups for virtual machines in AWS.

Friday Flows Episode 20: Regularly Update Insecure AWS EC2 Security Groups

Analyst’s often take in IOCs from many different sources and manually copy & paste them into security tools to search for them across environments or add them to blocklists. This can be time-consuming & repetitive.

This Friday Flows features a workflow that utilizes APIs to easily manage IOC’s in CrowdStrike & collaborate with peers in Slack.

Friday Flows Episode 19: Manage CrowdStrike IOCs in Slack

Learn how Intercom is automating use cases like:

Employee lifecycle management
Hardware issue reporting
Access request management
Security alert notifications

"For a long time, we’ve had this goal to empower other people in our company to automate their own processes, without having to wait on engineers to have bandwidth."

With an interface that teams in IT infrastructure, cloud security, IT support, and customer solutions can easily use, Tines is helping Intercom create that all-important culture of secure automation faster.

Friday Flows Episode 18: How Intercom's IT team boosts efficiency with Tines

Tines & Teams... has a nice ring to it!

Rosie Halpin, our newest Product Manager, walks through the new & improved ways to quickly get connected, start sending messages, and build powerful automations that send relevant information to users in Teams.

Aaron Sandow said it's now so simple & easy to use he could teach his grandparents to connect Tines to Teams!

Friday Flows Episode 17: How to authenticate Microsoft Teams for use with Tines

Monitor Intercom (or any channel like Zendesk, Slack, email, etc.) to scan messages for data leak.

This Tines story can help catch sensitive information and help you stay proactive by automatically creating a case for your team to manage.

Friday Flows Episode 16: Monitor Intercom with Nightfall

Data enrichment can come from many different places. Often this information resides inside of internal databases.

The process to get this data can be complicated today. You may have to install ODBC connectors and then start writing it out in code. Sometimes you can use a management tool, like SQL Management Studio, which has great displays, but take up a lot of memory on your computer.

Instead, Tines can connect to these data sources so the automation pipeline can include customer specific data points.

Jesse Strivelli runs through a few different Story examples, including pulling data from Amazon Web Services (AWS), MongoDB, Snowflake, and Amazon DynamoDB.

Friday Flows Episode 15: Automating with Database Integrations

It took us 14 episodes but we're finally highlighting the #1 most popularly used story in the Tines Library.

Investigating phishing email senders, URLs, and attachments can eat up hours of an analyst’s time - this Tines story demoed by Michael Tolan does everything for you.

Connecting services like VirusTotal, urlscan.io, and EmailRep from Sublime Security across multiple story forks, it includes several options for submitting suspicious emails and displaying the results.

Friday Flows Episode 14: Analyze phishing email senders, URLs, and attachments

On this Friday Flows Jesse Strivelli shares a side-by-side comparison of an automation written in Python & built in Tines.

The workflow is around triaging alerts for an eCommerce business. The goal is to ingest the alert, enrich & get further analysis, and take action if there's a high-risk score.

Jesse has been a software developer at Fortune 100 organizations for most of his career. And while coding remains near & dear to his heart, he shares how building in Tines now saves him time & headaches.

Friday Flows Episode 12: Building in Python vs Tines with No Code

The question of the week from a customer was: “How do we use Tines with our Infrastructure-as-Code methodology?”

Today we’re looking at how to automate processes around Terraform Cloud, like documentation, opening tickets, and getting approval for changes in the cost of the infrastructure.

Use this workflow to save time, maintain consistent records for audits, and manage incremental infrastructure costs.

Friday Flows Episode 11: Respond to & configure Terraform Cloud run task

What happens when a team member reports a lost laptop on a Friday evening? In most cases, it doesn't get locked down by IT until Monday morning 

Enter automation. This Tines story created by Conor Dunne allows users to mark the device as lost and prevent further access through Jamf.

Conor & the Labs team will be recording more walkthroughs like this & adding them directly to the Story Library to help you bring them to life in your tenant.

Friday Flows Episode 10: Lock Down Devices with JAMF & Duo Security

A common challenge we hear from IT teams is the constant barrage of requests for applications.

These can come from new hires, people transitioning roles, consultants & third-parties, etc.

Whitney Young runs through a great story using Tines pages where folks can initiate a self-serve application request that triggers an automation workflow to:

1. Open a new Jira ticket
2. Slack the IT team for approval
3. Grant or deny access for a specific amount of time
4. Remove access when time expires

Friday Flows Episode 9: Grant Temporary Application Access with Pages

This week’s Friday Flows features our first Community-built story. Big thank you to Christopher Cutajar for sharing his “Manage Elasticsearch and GKE clusters via Slack” workflow and for highlighting the great work of his team at Elastic overall.

"As a team, we've built quite a lot of stuff. Both Tines and Elastic are easy to work with & provide value not just with security, but provide a platform for anyone technical or non-technical to enable the business."

Friday Flows Episode 8: Manage Elasticsearch and GKE clusters via Slack

The strides in GenAI have been remarkable this year, but we're all still trying to figure out how to impact our day-to-day work. 

In this demo, we use AI in the best way we know how to at Tines: by speeding up a security analyst's work and making their life a little easier! 

Use ChatGPT to normalize alert formats, in this case from CRWD. Alerts from multiple sources are converted into a standard format for easier processing by a SOC, and a ticket is then created.

Friday Flows Episode 6: Normalize Alerts with ChatGPT

Spending too much time enriching, analyzing, and administering CrowdStrike alerts?

Our #1 CrowdStrike Story can help you automate your EDR playbook by digesting the alert, automatically enriching the alert, opening a case, creating metrics, and notifying the right analysts when needed.

Then need to take a response action?

Tines can help facilitate that process too with Cases. From one place, multiple tools can be connected painlessly.

Friday Flows Episode 5: Analyze CrowdStrike Detections

This Story will run a given CrowdStrike RTR command against a provided Host ID. All default RTR scripts can be used.

Friday Flows is highlighting a few CrowdStrike-related stories ahead of Fal.Con later this month.

Friday Flows Episode 4: Run a Crowdstrike Realtime Response Command

Employee onboarding & offboarding. Often owned by both IT & security, and ripe for automation to help reduce repetitive manual work & human error.

Topics covered:
1. How Tines uses Tines.
2. A demo of New Hire Onboarding with systems like BambooHR, Atlassian, Okta, and Slack.
3. How PathAI is saving 45 minutes per onboarding request compared to manual processes.

Friday Flows Episode 3: Employee Onboarding & Offboarding

Join Blake and Chris as they talk through Threat Intelligence Enrichment

Friday Flow Episode 2: Threat Intelligence Enrichment

First in a series of short videos showing a simple use case in each episode. In this episode we run through an overview of what Tines is and how it works.

Friday Flows Episode 1: Tines Overview

Friday Flows

The majority of SOC teams are overworked & under-appreciated. Generally, they get flooded with alerts. There aren't enough human beings or resources to deal with the volume of alerts.

So teams will 'turn down' their SIEM solutions so that they can deal with a realistic volume.

The downside is that you're going to miss alerts you should deal with & you're going to get a lot of false positives."

Stephen Creedon shares a highly popular Tines workflow to do the opposite: turn your SIEM (Elastic) up to 100 and let smart, secure workflows built by you & powered by Tines take care of the analysis for you.

Friday Flows Episode 7: Elastic Alert Response with Cases & Slack

SIEM

Security Automation

Cloud Security

Cloud

Cyber Security

Information Security

IT Security

Security Operations

Security Strategy

Application Security

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Friday Flows Episode 7: Elastic Alert Response with Cases & Slack

Presented by

About this talk

Tines