In an ideal world, every analyst in your security operations center would have the ability to always investigate and respond to an investigation efficiently and effectively. In the real world, of course, that is not the case.
Most SOCs have seasoned analysts, junior analysts and everything in between. This variety of skill sets means that investigation and response to any given case can be dramatically different depending on the analyst working the case.
This variability does not necessarily mean that one analyst does a more comprehensive investigation than another. It does, however, mean that from a management perspective, predicting the time required for a case can be challenging, if not impossible.
The good news is that with the introduction of security orchestration, automation and response (SOAR) solutions and their automated playbook capabilities, SOC managers can take steps toward more consistent, repeatable processes for a given investigation type, no matter the analyst working the case.
With automated playbooks, also known as runbooks in some SOCs, managers, architects and analysts can work together to define the flow of activities associated with a specific security issue and subsequent investigation and response. The goal is to build a consistent set of activities followed in every case, no matter the analyst assigned the case.
The challenge, unfortunately, that SOCs face when building playbooks in certain SOAR products is the level of programming knowledge required. While they may look simple on the surface, most SOAR products require some level of coding expertise to make them work.
Siemplify took a different approach to build our playbook framework. Understanding that many SOCs do not have programmers on staff, our playbook architecture was built in a way that anyone can create and edit the steps in the playbooks without coding experience.
In this short video above, you can learn the three things you need to know about the Siemplify playbook capabilities: simplicity, flexibility and extensibility.
The last point involves the ease in which you can extend the capabilities. While not all SOCs have programmers, some do. If you are a programmer or have a programmer on your team, the Siemplify platform comes with a built-in integrated development environment (IDE), where new playbook actions can be defined. You can also edit existing actions to meet your organization’s specific needs.
For more information about the Siemplify playbook, capabilities visit us as siemplify.co.