As the top coaches of any professional sports team would confirm, the best playbook is about much more than just the plays. In the same way that coaches use whiteboards and adhesive notes to draw diagrams in their playbooks, many security operations centers (SOCs) have printed binders of actions to take when data breaches occur. Some analysts print out events and tape them to walls to put a series of events in order.
According to Steve Moore, chief security strategist at Exabeam, a security playbook is designed to help analysts answer the following fundamental questions: How big is the problem, and who was involved?
“The core of answering the question is understanding the state of every IP address, every host and every account used 24 hours a day,” he explained. “This is the real hidden framework that enables a valuable response playbook.”
Short of having these full analysis timelines, a complete response isn’t possible. But with the right help, careful planning, and regularly rehearsed and tested processes, SOC analysts can respond to incidents with confidence and consistently keep their enterprise networks safe from compromise.
Why Your SOC Needs a Security Playbook
Players on the field understand that the game is a constant cycle of defending, attacking and transitioning. No one knows what threatens the enterprise more than the frontline defenders, which is why playbooks are built by analysts. An SOC with a playbook has the advantage of being able to focus only on the alerts that matter.
“By utilizing a playbook, it is guaranteed that the analysts will make the determination regarding the initial validity of the alert in front of them as quickly as possible, allowing the SOC to handle a lot more incoming alerts and focus on actual incidents or threats to the organization,” said Meny Har, vice president of product at Siemplify.
Without playbooks, analysts tend to revert to their gut — which might be effective for the individual, but it leaves the entire team at the mercy of the knowledge that exists within that analyst’s mind. SOCs that suffer from high turnover rates risk not only the loss of analysts, but also the loss of their undocumented expertise. In addition, Moore said that without a playbook, “your work product will vary in effort and quality, and new associates will take longer to acclimate without a playbook.”
New hires within an SOC could take nine months to get up to speed, but using the right technology and process can potentially reduce the learning curve.
Be Flexible and Adaptive
That the offense will change its tactics unexpectedly is a given, so the playbook should be flexible to create a constantly improving process. Built-in adaptability as a guiding concept will remind the team that agility has great value when it comes to security.
“By utilizing clear, auditable playbooks, SOCs can gain very meaningful insights into their own process, creating effective feedback loops as well as measurements and metrics,” Har explained. “This allows the SOC to identify bottlenecks where configuration changes (or automation) can take place and where the analysts can make even better decisions.”
The SOC team also relies on the contextual data included in the playbooks to determine whether to escalate or collaborate with further resources. While adaptability is important, playbooks should include the types of threats that have been seen in previous occurrences. They should detail whether an alert was deemed a false positive, who worked on the threat, what was previously done and what actions proved effective. Including all this information in the playbook puts analysts in a better position to make the best possible decisions so they can quickly respond to security incidents.
Balance Automation and Human Decision-Making
For more advanced SOCs, the playbook will strike a balance between leveraging automation and providing analysts with the knowledge they need to make their own decisions when necessary. Automating intelligence helps the SOC team identify not only whether an alert is malicious, but also how it is malicious, which provides some guidance on the best way to remove or handle the threat. In addition, automating contextual data helps identify whether a specific alert pertains to a high-value part of the network or a marginal one.
Let’s say an endpoint is infected and a set of credentials is stolen — what has to happen? The first step is to reference a timeline to determine whether the account was signed in to a second system that it’s never accessed before.
“The analyst could further submit that malware for automated analysis,” Moore said. “The action could involve blocking associated IP addresses, disabling the account, taking the machine offline, and sending an email to the associate’s manager and the privacy office.
“Think of automation, in its simplest terms: as a virtual helper for often-repeated and time-consuming tasks,” Moore continued. “The best type of security automation is one that vacuums up all the little unrelated events that occur inside your network and orders them into a timeline, ties them to that to a human or device, makes it quickly referenceable by risk, and illustrates which discrete events are normal or abnormal.”
Balancing automation with playbooks allows analysts to quickly understand additional risks so they can take immediate action to remove and adversary from a network or endpoint.
Measure and Improve Your Process
In writing playbooks, security leaders outline the right processes and procedures for SOC analysts to deal with the alerts they have actually seen. They should also describe the processes the SOC will need carry out to optimally handle any alerts and threats they may someday face. The team should constantly evaluate whether there was a situation it encountered for which the playbook didn’t account.
“This typically takes forms in the shape of ‘improvement’ steps within individual workflows — a place where analysts can note and update on their individual experiences,” Har explained.
If it so happens that an incident is inappropriately escalated, the process managers of the SOC can then go into an iterative process to evaluate what might have been a more valuable use of time for future reference. The playbook authors should take a higher-level view of the threat landscape of the organization while also looking at any new intelligence that may need special handling. For this reason, playbooks may not all be rolled out at the same time.
“This is where new playbooks are introduced to alerts which previously had none defined,” Har said. “This is also where high-level KPIs and metrics the SOC have collected are used as feedback. Where are my analysts spending the most time? Can certain steps be removed, adapted or alternatively automated?”
The idea is to also increase efficiency and time allocation of the resources in the SOC over time, which is usually done at a cadence determined by a higher-level employee in the SOC, be it the manager, director or sometimes even more senior personnel.
Read the Offense
Playbooks are designed to help SOC teams respond to known threats because security breaches are not typically the result of unknown threats. Security breaches most often occur because of unpatched vulnerabilities or other lax security practices, such as failure to perform risk analysis or basic network segmentation, misconfiguration, lack of security tools, and failure to make time for analysts to actually review detected threats.
“For a security team, an unknown threat is not necessarily a new threat or vulnerability that has never been seen before, but any threat that has not been detected by the organization’s own sensors and teams,” Har said.
That said, playbooks can quickly and effectively eliminate any background noise. When relevant threats are identified, they need to be addressed quickly through collaboration between relevant parties and rapid execution of the incident response plan.
Although no playbook is perfect, threat actors are far less likely to bypass a defense with well-defined and tested strategies. For the SOC team, strong defense comes from the ability to properly allocate precious resources, one of which is time.
When senior analysts are able to spend time looking beyond a reactive approach to threat response, they can shift to more proactive threat detection. From the threat hunting process, they can even develop additional threat intelligence-based playbooks to better position the team against unknown threats that the SOC would likely not have known about.