Security Orchestration is About Strong Playbooks. Learn to Build A Solid One.

Share this post:

One fine Sunday, I was enjoying a game of rugby on TV. Every time the referee blew his whistle the defense would gather around the coach, who would take out a board and draw the response plan against the opposition’s offense.

For everyone who has spent time in a Security Operations Center (SOC), this carries a striking resemblance to how SOCs around the globe plan their response to security incidents. Isn’t it?

It was always hectic in a SOC. But as the data started moving out because of cloud, visibility and control became a major issue. Pandemic, by accelerating remote work, has only added to the chaos.

A typical modern day SOC faces three major challenges while responding to critical security offenses:

• Meeting the SLAs
• Reduction of false positives
• Collaboration amongst stakeholders

In this article, we will talk about how we can overcome such challenges and accelerate incident response.

A. Invest in the process     

Security response is like a journey from point A to point B – from where you stand when the incident has happened, to where you eventually want to be once you have taken all the steps to eliminate the risk as a part of your incident response plan.

Teams need to create playbooks to define a combination of activities which they need to perform to move from point A to point B.

A playbook should hold collective information of respective stakeholders for various kinds of security incidents such as malware team, network team, application teams etc multiple combinations of these resources can come into actions subject to the type of incident.

Adding timelines to the playbook helps in prioritizing your action and assist the team in meeting the desired SLAs.

B. Playbook – Crisp, Re-usable and Agile

As helpful as playbooks are, they are also very specific. Now, there is a high possibility that an incident might be a combination of various sub incidents, and hence could force the security team to use more than one playbook while responding.

Additionally, we see a lot of variants of popular attacks on a regular basis. E.g. the endpoint domain could have a malware attack or it could have a ransomware attack. Similarly, the networking domain could have a DOS attack, or it could have a DDOS attack.

Creating multiple playbooks for these variants is a time-consuming activity, especially since these playbooks also require regular upgrades.

So, when creating playbooks, it is best to follow the agile methodology to create crisp and re-usable playbooks, as that allows the security team to accelerate this process and saves a lot of time.

C. Respond to Feedback

While creating the playbooks, the team should always value the inputs received from the security analysts. The analysts have the best seats in the house to watch these incidents and can share observations on the current SOP/Playbooks in use and comment on their efficacy, shortcomings, and loopholes.

A constant feedback mechanism can help the security teams reduce the number of false positives.

(might be a good idea on how this is related to false-positives)

D. Crawl, Walk & Run

Another important aspect of designing the playbook is to minimize the amount of automation initially.

Over dependence on automation without stress testing the process can result in a situation where we might end up taking the actions with insufficient information at hand. Considering the risk associated with automation it is always recommended to first work on the manual incident response plan. Once the plan matures, we can then decide on which part of this response plan can be replaced with automation to reduce the manual effort and time required to complete that activity.

To summarize, the security analysts are always on their toes, to meet the demands of the ever-evolving cybersecurity landscape and respond to security incidents. The key to incident response is creation of incident response plan, which is best captured in a playbook.

Creating a playbook is a complex activity, one which requires a lot of collaboration, feedback, and prioritization. The suggestions above, on creation of a playbook, can make the process more efficient and help security teams reduce false positives while shrinking the amount of time required to close the security incident.

IBM Security

IBM Security SOAR platform

Connect with me LinkedIn