Quantcast
Cybersecurity

Using the Automox API to Fight Alert Fatigue With Beacons and Spider Bots

By September 17, 2018 No Comments

Those that work in the tech industry understand the incredible value that the current state of digital dashboards add to the business process. In the past, the appearance and capabilities of ‘dashboards’ were pretty abysmal and overwhelming. Anyone remember MRTG?

At Automox, we have dedicated a significant amount of time to ideating, updating, and improving the UI of our console. Specifically, we have designed our console to avoid what the medical industry refers to as alert fatigue. Alert fatigue results from individuals being bombarded by alerts that are often not critical and distracting. Unfortunately, this leads to desensitization and causes individuals to miss and ignore important updates or actions.

With the ever-increasing amount of data and tools available for use within the digital landscape, the reality is that even the best of us can have a hard time keeping up with action items stemming from the large quantity of alerts we receive every day. In the security information and event management (SIEM) world, this can start to happen when a system has not been tuned and too many alerts are delivered.

As I pondered this topic and its relation to Automox I thought, “What if there was a device that existed in the real world which displayed hosts that need patching by using Python and the Automox API?” As it turns out, I was able to create this device with the Onion Omega 2 IoT device.

Note – to try this at home, you will need an Onion IoT device and the OLED Expansion shield. You can find both of these things here. Onion makes set up easy by following their step by step guide.

TL;DR

If you want to skip the code below and see these physical alerts in action, check out the video below. This video shows how to use the Automox API to look for unpatched hosts. To demonstrate the capabilities of the Automox API, we’ve set up two real world examples of physical alerts; a police beacon light and a spider robot. If more than 5% of hosts have missing patches the spider will start walking across a desk, or the beacon light will begin to go off.

 

Step 1: Installing Prereqs

To do this yourself, the first thing you will need to do is log in and install Python3:

root@Omega-94A2:~# opkg update

root@Omega-94A2:~# opkg install python3

root@Omega-94A2:~# opkg install python3-pip

root@Omega-94A2:~# pip3 install requests

root@Omega-94A2:~# pip3 install prettytable

Step 2: Python

In a previous blog post, we introduced you to using the Automox API to find hosts with missing patches. To complete the task in this post, all we need to do is modify the script to display data on the OLED board. There is a python module that can be used to do this, but shell commands are much easier. We will call that with subprocess.

The function we’ll add is shown below. It uses oled-exp to write a message and send it to the screen:

def writeLCD(msg):

       oledMsg=”oled-exp -i -c write \”{}\””.format(msg)

       sendMsg=(subprocess.Popen(oledMsg, shell=True, stdout=subprocess.PIPE).stdout.read()).strip()

Step 3: Running Code

The full code can be found here, but the usage is shown below:

usage: onion.py [-h] [–limit LIMIT] [–csv] [–table] [–lcd] [–light]

               apiKey

Automox API Example

positional arguments:

 apiKey         API Key

optional arguments:

 -h, –help     show this help message and exit

 –limit LIMIT  Limit results to X

 –csv          Output as CSV

 –table        Output as table

 –lcd          Output on Onion LCD

To query your domain, simply pass in the API key (found under Settings in the Automox Console) and –csv or –table:

Passing –lcd updates the physical IoT device. The device could sit on a desk and increase situational awareness, helping to avoid alert fatigue:

root@Omega-94A2:~#  ./onion.py 1112222333444555666  –lcd

Step 4: Sound the Alarm

IoT devices like the Onion allow us to go a step further. Here, we can make an old timey police light flash when there are hosts out of compliance. The one used in this demo can be purchased on Amazon, along with the Relay Expansion board from Onion.

Since the flashing light uses mains power, be very careful if you decide to copy this example. First, make sure it is disconnected from the wall. Then, unscrew the thumb switch, strip the ends, solder them so they do not fray, and attach to the relay:

Since this is mains power, best practice is to take an extra bit of caution. In this example, I used two pieces of 4”x3” plexi glass to make an enclosure. Be sure to make a hole for accessing the screw terminals on the relay:

Now, we are simply going to add an argument to the argparse function of –light and use the command line tool relay-exp. We’ll turn it on, sleep for 30 seconds and then turn it off:

def writeLight():

       lightCmd=”relay-exp -i 0 1″

       sendLight=(subprocess.Popen(lightCmd, shell=True,  stdout=subprocess.PIPE).stdout.read()).strip()

       time.sleep(30)

       lightCmd=”relay-exp -i 0 0″

       sendLight=(subprocess.Popen(lightCmd, shell=True, stdout=subprocess.PIPE).stdout.read()).strip()

Step 5: Spider Bot Fun

Why just stop with a flashing beacon light? There’s nothing that would grab a sysadmin’s attention better than a spider bot walking across their desk. To do this, I used a cheap spider bot kit and simply hooked it up to the relay (see above). *Pro tip – you may wish to make the sleep shorter so it doesn’t walk right off of your desk.

Conclusion

While this was a lighthearted post, I always think it is worth presenting cyber intelligence in an manner that is easy to digest. I hope this post made your wheels start turning in terms of creating new and innovative ways to help fight alert fatigue. As always, feel free to email me if you have any questions: mcmanus@automox.com.

About Automox

Automox is a cloud-based patch management and endpoint protection platform that provides the foundation for a strong security framework by automating the fundamentals of security hygiene to reduce a company’s attack surface by over 80 percent. A powerful set of user-defined controls enables IT managers to filter and report on the vulnerability status of their infrastructure and intuitively manage cross-platform OS patching, third party patching, software deployment, and configuration management. To sign up for a free, 15-day trial of Automox’s cloud-based, automated patch management solution, visit www.automox.com/signup.

Joe McManus, CISO

Author Joe McManus, CISO

Joe is a Senior Cyber Security Researcher at CERT and a Professor at the University of Colorado College of Engineering where he teaches graduate courses in information security and forensics. Recently, Joe was the Director of Security at SolidFire, (acquired by NetApp [NTAP]). He is an avid cyclist, climber and leads the Automox security team.

More posts by Joe McManus, CISO

Leave a Reply