Introducing Shuffle — an Open Source SOAR platform part 1
All blue teams and information security departments have to two problems in common: alert fatigue and a lack of development. If you don’t give security professionals hard puzzles to solve, but rather fires to fight, and the environment stagnates, it will eventually lead to turnover. This is a common theme in incident response teams, and Shuffle is looking to solve it. How can these issues be tackled head on however? Read on and I’ll introduce you to the magic of Open Source.
Shuffle was started as a hobby project about a year ago (mid 2019). I was writing the same code over and over to duct tape systems together, which was quite tedious with 30+ systems. I knew there was a better way, and as a developer and security professional, I saw a need for better structure, eventually leading to Shuffle. I was initially planning to make it a SaaS platform, but decided to give it away for free after seeing the need for an Open Source SOAR platform.
What is SOAR?
SOAR (Security Orchestration, Automation and Response) has been around for a few years, and been a part of some large acquisitions in the information security industry recently. The point of a SOAR platform is to handle an incident end-to-end — automating before, during and after the incident.
An issue with end-to-end in a single platform is that the views are cluttered and hard to use, as they try to cast too wide a net. This is typically in the form of Threat Intelligence, Tickets, Vulnerability management, Email analysis, Cloud security and you name it. Just because it can be done, doesn’t mean it should be.
What is Shuffle?
Shuffle is an Open Source interpretation of SOAR. It aims to bring all the capabilities necessary to transfer data throughout an enterprise with plug-and-play Apps, making automation approachable for everyone. It should remove the need for a coder on the team (I still suggest having at least one..), empowering everyone by being able to deploy new, complicated (or simple) workflows in minutes rather than hours or days.
How does Shuffle do it? Through workflows and apps. You’re likely to be familiar with both words, the former being automated playbooks, and the latter being integrations.
How do integrations work?
To make Shuffle accessible, it needs to have integrations ready out of the box. Having a community of supporters and creators doing the heavy lifting over time is good, but we thought farther. Shuffle uses OpenAPI, and existing Web API standard, and gives you access to a builder to create apps on the fly as seen in the image on the left.
If you check out this existing integrations website, it shows 11.000+ endpoints with OpenAPI definitions. This means that you will have an existing integration for your product(s) within minutes, rather than days of development time.
On top of OpenAPI, we’ve taken the integration approach and structure of WALKOFF, meaning their apps work with Shuffle as well.
More on this in a later blogpost.
What are Workflows?
Workflows are the part of Shuffle where everything comes together. Using Apps, Triggers, and Variables, Shuffle gives you access to all the tools you need to make your platforms talk to each other. Here’s a basic example using all three.
An App, as described in the previous section, has multiple Actions, which in turn has multiple arguments. “Hello world” (bottom left) is the Action “Repeat back to me” running the App “Testing”.
“Repeat back to me” takes a single Argument, which in this case is the Variable “Hello world variable”
If someone sends a POST request to the Trigger “Webhook”, this workflow will execute. It can also be executed manually.
Actions, webhooks and arguments can be reused, copied and put together to create anything you can think of. Further, workflows are defined in JSON, a format that is digestible programmatically. This means that in time, there will be a notable repository of readily available workflows to pick from.
Why use Shuffle?
With the capability to automate, report, share and duct tape together any information, the platform is in essence built for anyone in operational security roles. It makes automation easily available through existing standards like OpenAPI, more fun through the execution views, and last but not least, efficient.
The choice of Open Source means it can flourish quickly, as long as the baseline is stable and secure. It’s currently in the beta stage, with a few testers in production, and we would appreciate if you want to test it too. Get in touch, or see the installation guide.
What’s next for Shuffle
As adoption is a key element, this is written to be an introductory post without much depth. I want Shuffle to spark some excitement in blue teamers, as the red side feels seem to have constant developments, while the blue seems to be lacking. To further that agenda, I will release a series of posts covering anything from installation to integrations and app building in the coming weeks.
- Introducing Shuffle (this blogpost)
- Getting started with Shuffle
- Integrating Shuffle with Virustotal and TheHive
- Real-time executions with TheHive and MISP
- An advanced workflow walk-through
- The (not so distant) future of Shuffle (Mitre Att&ck, dynamic dashboards, asset management, KPI’s etc.)
If you want to get up and running, we use Docker to make it easy to get up and running quickly:
If you haven’t already, please clap (up to 50 times) and share the post. Follow me for updates, and don’t hesitate to get in touch.
