Incident response involves processes beyond investigations like alert management, tuning detections, communication, tracking incident-related metrics, handoffs, etc, that can be tedious, repetitive, and time consuming, especially considering our all-remote environment at GitLab. For that purpose, our incident response team has developed a set of (mostly) Slack-based tools to standardize the process for incident response management and therefore reducing technical, as well as administrative overhead during incidents, through automation (and even gamification!)
These tools leverage platforms like GitLab, Slack, our SIEM, PagerDuty, and Google Workspace to optimize the workflow of our busy incident response team. Our tools are operated within Slack and connect to our critical cloud-based systems for incident response, as well as our automation platform, Tines. With these tools integrated within our incident response processes, we’ve automated alert deployment through our detection as code CI/CD pipeline, incident severity and priority scoring, team handoffs, incident life trackers that follow compliance guidelines, labeling and metrics generation, and we’ve significantly reduced investigation time by e.g. automating operational communication feeds.
In this workshop, we share this solution and processes developed in-house and demonstrate how we as global incident response teams can best build our own SOAR solutions that fit our requirements and see firsthand how much our efficiency has increased. A portion of our own automation designs and scripts will be opensourced at the conference.