Cybersecurity teams have been using their own version of the old football playbook for more than a decade. They use security playbooks to protect their companies against incoming attacks, recover from breaches, and create customized sequences of tasks and routines.
The security game is changing rapidly, and so must the play‑calling. Cybercrime is rampant, causing an estimated $600 billion in global corporate losses in 2017, according to a 2018 survey by McAfee. That’s a tenfold increase over similar estimates from 2016.
Older cybersecurity playbooks typically detailed manual processes security teams could use to react to attacks. Newer playbooks automate the investigation process so security analysts can stop researching problems and start solving them.
“Historically, cybersecurity playbooks were a prescriptive set of guidelines describing who should respond to a security incident and what steps should be taken,” says Chris Stoneff, vice president of security solutions at security tech company Bomgar. “In today’s world of advanced cyberattacks, this is no longer enough.”
Targeted businesses “must fight back with automated, real‑time cyber defenses,” Stoneff says. That’s why the old playbook is getting a revamp. Today’s security playbooks automate dozens of critical defense tasks without human intervention. And they do it across disparate systems, applications and teams. Playbooks can also handle routine tasks, such as software patches, that are often the root cause of the worst attacks.
Phone tree legacy
Traditional playbooks take their cues from the old‑fashioned phone tree, says Michael Jordan, senior director of Shared Assessments, a provider of risk management tools.
“Getting the right people together to get situational awareness and decisions around a cybersecurity incident is the most crucial part of incident response,” he added. “But as anyone involved in incident response can tell you, it can get quite chaotic when there are many parties involved.”
Today, playbooks need to direct a response under rapidly changing conditions. “Staff changes, and the details of each incident are different every time,” says Jordan.
Traditional phone‑tree playbooks frequently fall short. Common system management and response tasks can now be automated to free up resources and allow responses—such as blocking suspicious traffic—at “machine speed,” Jordan said.
“Too many tasks can overwhelm personnel,” Jordan added. “Some threats can cause damage faster than a human could conceivably respond.”
That’s why some of the newer security playbooks embrace the concept of orchestration, the ability of software tools to coordinate a mix of people, processes, technologies, and APIs. While playbooks today lean heavily on automation, pairing them with orchestration tools can retain critical manual processes that still need to be part of the overall routine.
Organizations that use such tools to improve security response can measure progress and communicate results more effectively.
“Organizations need a holistic understanding of how a team is performing and if things are getting better or worse,” says Rich Reybok, senior director of software engineering at ServiceNow. “Visibility—including applying risk factors and service‑level agreements and thinking about security in business terms—is essential to identify gaps and solve issues quickly.”
Automate and orchestrate
Security automation and orchestration (SAO in security vernacular) can be a force multiplier for security teams, says Ian McClarty, president and CEO of PhoenixNAP Global IT Services. Security playbooks will continue to evolve, he adds, “as more applications and services allow information and tasks to be performed through APIs.”
PhoenixNAP uses SAO‑enabled playbooks for several critical tasks, including alert verification and notification. The company is also exploring ways to automate tasks associated with incident recovery, such as automated deployment, patch testing and recovery from a backup.
“By using the integrations and automated tasks, the [security] staff is able to focus on more demanding and analytical tasks,” McClarty says.
Let’s say a company’s threat defense system detects a pass‑the‑hash attack. If the intrusion prevention is integrated with what’s called a privileged identity management (PIM) tool, a well‑scripted playbook can direct the PIM to automatically randomize the passwords of the targeted systems and “stop the attack dead in its tracks,” Stoneff says. This all happens without any manual intervention.
Automated playbooks can also block email when a company’s data is being stolen, lock down a website during malicious employee activity, and disable VPN access after detecting hacker activity there, says Laura Lee, executive vice president for rapid prototyping at Circadence, a security training firm.
Security playbooks at Circadence identify manual tasks that can be automated for triage. The company also uses playbooks on offense, not just defense. It has developed “adversary” playbooks to study threat campaigns and test defenders with variations on attacks.
The biggest challenge with automated playbooks is a human one. They require qualified security pros to create and run them. That can be challenging given an extremely tight labor market for in‑demand security skills.
“The limits of a cybersecurity response playbook are in the expertise needed to execute the steps within it,” says Lee.
That’s not a reason to avoid them. According to experts, most security teams don’t come close to leveraging the full capabilities of intelligent security playbooks. CISOs can stretch their limited resources by using playbooks for basic tasks like checking alerts, creating and updating work tickets, and automating event triage.
“Almost every organization faces internal challenges to progressing their security programs,” says Reybok. “As an industry, we need to acknowledge that the way forward isn’t a better version of what we do today.”