We are all aware that security operations centers are inundated with alerts causing massive case backlogs and potentially critical threats to go unnoticed for days, weeks or even months.
Forward-leaning SOCs are taking steps to actively address this issue by deploying security orchestration, automation and response (SOAR) products. With a properly deployed and integrated SOAR solution, SOC teams achieve much-needed relief from alert overload. However, soon after deployment, an unexpected time suck emerges: playbook management.
The core value of any SOAR solution is the ability to take manual – usually undocumented or ad-hoc IR processes – and formalize them in what is called a playbook (sometimes called a runbook). These playbooks provide the SOAR with a roadmap to follow for a specific alert.
A good playbook will include a combination of automated and manual steps that enable the security analyst to focus on the investigation, while the SOAR handles case preparation, validation and the response execution. The playbook creation process often is straightforward depending on the SOAR product selected, but complications can arise.
For example, over time an organization may decide to change a product in its security stack, move from Microsoft Office to Google, or even adopt an entirely new approach to incident response if SOC management changes. When this occurs, a set of playbooks optimized for the time in which they were created immediately require massive updates.
Since it is not uncommon for a team to have hundreds of playbooks, the time required to make these changes is not trivial. Further, during the transition period, alerts may sit idle, giving attackers the window they need to reach their objective. Since change is constant, this process will repeat many times, creating a real time suck. But, all hope is not lost.
The latest iteration of the Siemplify Security Operations Platform, version 5.3, delivers a new approach, known as playbook lifecycle management, to update playbooks. Using snippets, called blocks, security teams can compartmentalize the workflows that would traditionally constitute a single playbook. Your team can then create any number of playbooks using these blocks to meet their triage, investigation and response needs.
So when something does inevitably change, your team needs only to update the impacted block and all the playbooks that use that block will automatically be updated. With this process, you not only save large amounts of time, but you also eliminate the potential for missing a playbook during the manual update process.
Check out the short video above to see playbook lifecycle management in action!