As security operations centers (SOCs) broaden their implementation of security orchestration, automation and response (SOAR) technology to automate some, or all, of the triage, investigation and response their team must undertake, a new challenge is emerging.
SOCs are finding their playbooks that interact with the many technologies in their environments are failing to complete successfully, resulting in analysts having to intervene manually to complete investigations.
Further, team members are spending a not insignificant amount of time applying updates to playbooks to account for changes in their environments as they occur. Unfortunately, many SOAR technologies did not anticipate this challenge and require individual playbook updates. If a SOC works with 50, 100, or more playbooks, you can imagine that the time required for these updates can add up quickly.
Siemplify is the first SOAR provider to attack this challenge head on by introducing playbook lifecycle management, the practice of creating triage, investigation, and response playbooks that enables efficient updating, versioning and retiring of individual tasks within a playbook with minimal manual processes.
Playbook lifecycle management allows SOC teams to create advanced playbooks with dynamic automated decision processes built in, enabling the playbooks to adapt to each potential security issue with limited human intervention. Finally, it provides detailed analytics on playbook effectiveness in real time, enabling SOC managers, engineers and architects to understand where to focus their improvement efforts.
5 Steps of Siemplify Playbook Lifecycle Management
1) Build Playbook “Blocks”
A playbook block is a discrete action or set of activities that take a dynamic, user-defined input (IP address, email, username, etc.) to generate a result. For example, many playbooks begin with gathering information on the specific assets involved in the alert, such as system information or third party threat intelligence. Instead of creating these activities for each playbook where they are required, with playbook blocks, users create these actions once – and reuse them across multiple playbooks as needed.
2) Build full playbooks
With the playbook blocks created, users can now put these blocks together to form total triage, investigation and response workflows. Since every case is different, a typical playbook will consist of a combination of these reusable blocks, as well as custom interactions/steps for the specific situation. As a best practice, the more blocks used in the playbook, the easier the playbook will be to manage long term
3) Run playbooks
The playbooks are now ready to be put into production to automate some, or all, of your incident response.
4) Apply block changes
As changes occur, update the discrete playbook blocks as needed. These changes cascade to all impacted playbooks automatically.
5) Repeat as needed
Steve Salinas is director of product marketing at Siemplify.