6 months in: The future of Open Source SOAR — Shuffle 0.8

Shuffle is an open source automation platform for and by the security industry. Our goal is to help the cyber security industry by providing collaborative tools for automation. We were initially released as an Open Source project on the 20th of May 2020–6 months ago. It’s since then had huge success in user-adoption, feature additions, bug fixing and business development. This post will outline what’s happened and what we’re doing going forward.

—

As previously described, Shuffle started as a passion project to make automation accessible and understandable by security analysts and their management, which is still our mission. Overloaded with the same alerts every day? Use Shuffle. Don’t know what to “fix next”? Check Shuffle. Don’t know if your team is efficient? Check Shuffle. It’s a platform for automating everything.

…But to build that takes a while. We’re now in a crossroads — not in terms of goals and motives, but how we’ll get there. Shuffle has primarily been made by me (Frikky), with the help of a handful of awesome contributors, as well as some friends, but has become “too big” for me to handle part time (10–15 hours a week). We’ve had multiple investment-, acquisition- and partnership opportunities, but have decided to focus entirely on the product itself. I still want to focus on product, while also making a living. That’s what this post is about. How can we be open source and serve the community, but thrive in our personal lives? Before we get there, I’d like to start with what has happened since launch. It’s been a fun half-year for development.

The Open Source SOAR for all purposes

What’s happened?

Six months ago, Shuffle was released as a bare-bones project without much testing or features. Within a few weeks, it became stable, and we saw a steady rise in the number of users. Over time, as development continued, we found more and more features that needed improvement and started others that have now been built from the ground up. Our focus has been kept on the open aspect of Shuffle. But that has its issues.

In short: automation platforms are complex. They take a while to build. But we’ll get there. Some of our achievement so far are:

• We’ve started a community of 100~ active people, with new people getting involved every week (1500 visits, 100~ clones & 8000 readers per week~). This has and will keep compounding.
• We’ve pushed 400+ software updates, a lot thanks to the open source and Shuffle communities.
• We’ve created 300+ integrations together with the community. Marketplace and good searching coming soon.
• We’ve gotten new design, including new logos and artifacts we will be using. This is and will stay as a focus of ours. Giving analysts flow through design is the dream.
• We’ve signed up for and been accepted to host workshops about Shuffle at JSAC. This means explanation videos, slide decks and better documentation in general!
• We’ve spoken with 50+ companies about use-cases and what they’d like to see us build, and more. I’ve sent and received more mail than I like to admit.
• We’ve added 40+ enhancements to the workflow editor, including hybrid cloud potential and continued app configuration and autocompletion.
• We’ve NOW (TODAY!!) added the first hybrid-cloud options. This is an exciting step towards profitability and more Shuffling. If you’d like to see (part of) what we have in store, check it out here.

Our new pricing subscription model. We’ll add features over time and open up the pro version as it gets ready. Subject to change.

With a subscription model in mind — what are we looking for now? What’s our motive from here on? First of all: We need early adopters. Someone willing to help us develop this into the fully fledged solution we’d all like it to be. Someone Shuffle can work with to build their use-cases. Someone that likes open source and collaboration. And with that in mind… what would you expect in return for spending your two cents on us?

That’s what we’ll get to now. The bright, bright future of Shuffle.

Using Shuffle’s hybrid model to make it easier to interact with external services

Where are we going?

As everything in Shuffle is based on collaboration and open source tooling, we thought we should start there. With basic tooling for the project done, it’s now time we talk about security features we intend to add. Shuffle will start working towards common category definitions, which is another way of standardizing. This means that to us a SIEM should be a SIEM. EDR is EDR. Ticketing system is Ticketing system. The product shouldn’t matter. They all have common use-cases, but are built differently.. mostly for the same reason.

Thankfully, we’re not the only ones thinking about this. There’s tools-a-plenty out there that can help with this. Here’s some of our favorite projects that will be heavily used in the future of Shuffle: Sigma, OSQuery, Yara, Mitre Att&ck (w/Re&ct). With this toolkit, along with custom creations and playbook frameworks, we may actually be able to help the industry as a whole.

But this, sadly, isn’t really enough. We’re aware that such tooling will confuse loads of people. A lot of security professionals are willing to spend the time learning what they are. But just as many, or more, won’t. We want to help them as well. We want everyone to be able to leverage each others’ use-cases through sharing mechanisms. But there’s no good way of getting that done with open source alone, which is why we just introducing services through https://shuffler.io that can be used on-premise. This will hopefully make it possible to sustain what we do.

Here’s what we’ll do:

We’ll give more value through cloud services — value in terms of features that are REALLY hard, REALLY annoying or straight up impossible to have on-premise-only. What’s the worst part of open source platforms? That everyone go through the same mistakes. There is usually a high barrier to entry. There’s little to no collaboration between companies. But why is that? Well, we have a LONG list of features we are and will be working on, but the key elements are related to cloud (hybrid access), searching, collaboration and scale. Let’s go through them individually.

Our initial hybrid features

1. Collaboration: Blue team security (sadly) isn’t all that sexy. Especially the way we talk about it today. We’re all building our own implementations to trivial problems. This can be fun, but it doesn’t move the industry forward. It’s not as much a cyber security shortage as it too many similar, parallel paths being built. This is why we see it as necessary to share efforts between organizations. In Shuffle this is optional, but highly necessary for the industry as a whole to learn faster, together. Possibilities range from sharing apps, knowledge and process to exact fixes and suggestions as for how to continue building your workflow.
2. Scale: We aim to bring features that makes it easier to scale, both on-premise and in the cloud. As you start automating, you will notice that you require evermore resources. We give you the option of running parts or everything in our cloud (and later, yours). This means you can control individual apps, and where they should be executed.
3. Access (triggers): The best examples for access issues in Shuffle are related to networking. Think about the Webhook trigger. It’s meant to get an HTTP connection from a remote server to run a workflow. But what if you can’t put a part of Shuffle in the DMZ? All of a sudden you can’t use cloud endpoints. We have solved this with cloud/hybrid triggers.
4. Search: Another issue in the defensive security industry is that information is distributed. It’s also a strength, but in our case with API’s, this means starting on Github if you want to find any meaningful information. We would like to make it easy for you to find specific information at large, including apps and workflows for Shuffle. This is why we’re focusing on OpenAPI/Swagger (and JSON-schema) as well as open standards for use-cases, such as Mitre Att&ck. Search may also provide access to every single instance of when e.g. an IP was hit in the past, as well as a distributed search engine for all your connected systems.

But in practice, what does all of this mean? How can you leverage this as is? First, start by signing up to https://shuffler.io/admin, grab your unique key, put it in your own instance, and all of a sudden you have more features than you did previously. We’re doing our best to keep your data intact at the same time as well. We’re not sending any of your local information to the cloud. Read all about it here. More features will be added over time, and you’ll automatically get access to them too. Glorious synchronization.

How do we get there?

The point of Shuffle isn’t to create an enterprise with massive profits. We simply want to give the community what it deserves, through open source tools. It’s still a bare-bones solution. And that’s what we need to fix first. A SOAR without use-cases isn’t enticing. A SOAR without integrations isn’t either. That’s where our focus will move. A tiny bit away from platform development, over to actual usage. That’s why as part of our pricing model, we’ll create an integration for you as well. We’ll also help you get on-boarded.

I like to think of it as compound interest for the industry as a whole. If you use a specific system, there’s a high chance others are as well. That means when we create an OpenAPI specification or Workflow to solve an issue, everyone benefits. It’s a win-win. With e.g. 10 users over 12 months, that’s already 120 integrations and use-cases, not including the others the community are making on the side. And 10 is a really low number.

Next up is personal on-boarding. Because reading documentation before you try something sucks. If the community learns how we think about Shuffle and the unlimited potential, then we’ll all build it out together. This is where the sharing and open source aspect comes into play. This is the part that works for other companies as well, but you won’t have a thriving and sharing community.

Third — tutorials and demos. Youtube videos, blogs and workshops (among others) are huge. We’ll keep them coming, as they’ve been helping Shuffle grow continually. We’re hosting workshops that will become available online soon as well.

Last — MSSP & enterprise features. This one isn’t as much fun product wise, but it’s necessary. We’d like to offer a way for MSSP’s to have standardized workflows for on-boarding their customers, with all their systems. We’d also like it to be seamless, so you can edit one workflow which further edits all the others. Further, reporting, dashboards, audit logging and professional support and services are the real requirements we’re missing. Without it, we’re not “enterprise ready”

These are our key growth strategies. And all they require is time.

—

There’s a lot to talk about when it comes to such a huge undertaking, but we won’t bore you with more gory details. We haven’t mentioned everything. But this is the release of Shuffle 0.8 after all. Not 1.0. What we need now are early adopters. Someone willing to work with us through the issues, and support us while it’s being built for you. If you’d like to try it out, either sign up or get in touch at frikky@shuffler.io

Get in touch

As mentioned, we just released Shuffle 0.8! Try it out! It has all the goods. Read more about the release on Github. Documentation for organizations are here. If you have any feedback at all, or want to get involved; please reach out. We’ll cover that in a later post.

I’d like to thank my personal sponsors and advisors, the Discord and open source community that keeps grown, as well as anyone who’s taken interest. This is a really interesting and fun journey, and I’m really optimistic that we’ll make this the best automation solution for the security industry.

Please consider clapping (up to 50 times!), sharing and spreading the word. It helps us out a lot. Follow us on Twitter or Linkedin for further updates.