Welcome to Part 4 of our series examining how to select the best security, orchestration, automation and response (SOAR) solution for your business.
In Part 1, we defined what SOAR platforms set out to do at their core. In Part 2, we listed the key core competencies that you can expect to find in a SOAR solution. In Part 3, we dove into one of those core competencies: case management. Part 4 will focus on the bread and butter of the SOAR category: playbooks.
A security playbook (or “runbook”) is the logical series of actions that a security analyst should follow when triaging, investigating and remediating a specific suspected threat. For example, an (overly simplified) example of a playbook to handle a suspected phishing email may look something like this:
Step 1: Enrich user information from active directory
Step 2: Enrich URL information with threat intelligence data
(Branch: If URL is malicious then,)
Step 3: Delete the email from the inbox
Step 4: Send a message to the user
Step 5: Add the URL to the firewall block list
Clearly, organizations should strive to automate as many of the steps in a playbook as possible (this video provides good guidance on what can be automated with confidence). Additionally, the playbook steps will typically invoke the functionality (here is where orchestration comes in) of your various security tools, such as your threat intelligence, firewalls, EDR platforms, etc.
It’s easy to see why automation and orchestration can save time and avoid console switching and manual error, but it’s worth noting that first and foremost, the value of playbooks lies in the fact that they allow for consistent execution of security processes that enable SecOps teams to scale. So as you may have figured by now, the more you have your processes mapped out, even if it’s just in flow charts or documents, the faster and more effective your SOAR implementation will be.
Every SOAR vendor will tout “code-free” playbook creation, an easy drag-and-drop playbook editor and loads of integrations. It’s often difficult to tell the difference purely based on the marketing materials, so “building is believing.” If your SOAR vendor offers a free trial or a community edition, it can’t hurt to take it for a spin.
When analyzing and comparing playbook building capabilities, you should think along three dimensions, namely:
- Ease of playbook creation: How easy is it to get off the ground quickly, with pre-existing playbook libraries, use cases, and little to no coding.
- Flexibility of playbook creation: The flip side of ease of use – how flexible is the SOAR platform to allow you to modify existing templates or build from scratch new use cases that are highly tailored to the needs of your organization.
- Playbook lifecycle management: How simple is it to manage, maintain and optimize a growing library of playbooks, without running into “spaghetti” playbook complexity.
Let’s examine some core capabilities to consider across each of these dimensions. While not an exhaustive list of every playbook-related feature, this list as a great place to start.
Ease of playbook creation
- Drag and drop editor: While this is table stakes in the SOAR category, not all playbook editors are created equal. The best way to examine ease of use is to , well, use the product and see how easy it is. Some SOAR solutions do a fine job at abstraction and boast a UI that enables non-engineers to build complex playbooks without the need to understand code or parse parameters, while others don’t (but say they do anyway).
- Packaged use cases: While every organization may be unique, the reality is that many security operations challenges are common across them. A good SOAR solution should deliver pre-packaged solutions for common use cases such as phishing, failed logins, command-and-control beaconing and more, so you don’t have to reinvent the wheel.
- Playbook utilities: Somewhat similar to use cases, common tasks are involved in building playbooks, such as email parsing, list manipulation, and more. You should not have to write those from scratch, so look to see if your SOAR provider offers a library of such utilities.
- Simulators and debuggers: As with any code that is running, testing in production is not a best practice when it comes to playbooks. Look for functionality that allows you to simulate alerts and “debug” your playbooks in a safe environment to ensure they work as expected before actually deploying them in the real world.
- Integrations: A good SOAR tool should support the tools you are already using. The good news is that the category has matured to where most vendors, especially the established ones, should have all their bases covered here. Some SOAR vendors also have communities and offer community-contributed integrations to support even more tools.
- IDE: So remember the “code-free” playbook building virtually every SOAR vendor touts? Truth be told, no matter how great the drag-and-drop UI is, you will likely encounter cases where you want to tweak the underlying code. This can be as simple as modifying some of the default logic to building a new integration from scratch for a homegrown tool. Most SOAR vendors offer a python-based IDE, but the level of maturity varies, so you should seriously consider experimenting with it yourself if you anticipate a lot of custom coding
- Skip logic: Playbook actions can fail (for example, you query a cloud-based threat intelligence provider, but it is experiencing downtime). A good SOAR solution should provide flexibility for this, which can include skipping steps, rerunning them a certain number of times or aborting the playbook
Playbook Lifecycle Management
- Reusable blocks: Playbooks often share logic (for example – an enrichment “block” that reaches out to multiple threat intelligence sources may be relevant for multiple use cases). A good SOAR solution supports reusable components for easier playbook maintenance.
- Versioning: Playbooks are rarely static, and you should anticipate updating playbooks. This is where version control comes into place to allow for easier maintenance as well as rollback to a last known good version if needed.
- Playbook run analytics: These metrics give you visibility to the actual performance of your playbooks so you can pinpoint and fix potential issues. Analytics can include how many times playbooks have actually run (and which seldom or never get used), how long playbooks take to complete and whether playbooks get stalled at a specific stage.
A well-oiled playbook library that is simple to build and maintain can make a difference between a highly successful SOAR project and one that underwhelms. As always, do your research (such as reading reviews of the various SOAR platforms) and get a feel for what playbook building is like as you set out on your journey to select the best SOAR platform for your needs.
However, even the best designed and highly automated playbooks will never completely eliminate the need for intelligent human investigation. Interactive investigation will be the topic of Part 5 of our series. Stay tuned!
Nimmy Reichenberg is CMO at Siemplify.