How to create a Hall of Fame caliber cybersecurity playbook

Whether the sport is football, basketball or hockey, all the best coaches have playbooks and reports with the latest information on opponents. They study the playing field and never go into a game unprepared, spending hours fine tuning strategies, whether that’s finding the perfect angle to swoop past defenders or knowing an offenses’ weakness and stopping them dead in their tracks.

Cybersecurity should be no different. Sure, you’re not a quarterback looking for a lane to pass in, but the concept is very much the same. Your analysts are staying on top of cyber-trends, making sure they’re both ready and capable of stepping up on cyber-defense.

No one understands the game more than the athletes that run the plays for a living, and the coaches that spend their whole day analyzing tape. Likewise, no one understands the need for clear security operations processes more than the analysts who must execute them, and the SOC managers that guide them. Just like when a coach reads a defense and opens the playbook to find the best possible response, it’s important for SOC teams to have something tangible they can consult based on available information. So, what exactly goes into the ideal cybersecurity playbook?

Built by the SOC team

Experienced analysts and SOC managers, who are on the frontlines, should be able to create and build the playbooks they need to investigate and respond to threats. Think of the analysts and managers as the coaches and players, the ones that see everything, every day, right in front of them. Often SOC managers must rely on developers or engineers to code their playbooks and workflows. Ideally, the ones calling and running the should be enabled to build and iterate on the playbooks they need to be successful against opponents.

Customizable and adaptable

No two security operations centers (SOCs) are the same and each will run standard plays a little differently. Every football coach starts with a solid foundation of basic plays – and then build out more specific plans based on the realities of the team, players and opponents. Similarly, a SOC can start with a set of standard playbooks – every team needs a plan for addressing phishing, malware, brute force attempts and more – and then customize based on their particular business. Analysts shouldn’t be put in a situation where they’re trying to tackle different threats using a single process. You want to combat all phishing attacks with consistency, but a ransomware attack can’t be treated the exact same way. Threat actors and their techniques are going to evolve, and you need to as well.

Testing

No coach has ever called a play on Super Bowl Sunday that they’ve never practiced before. Likewise, your SOC team isn’t going to toss out the hail-mary during threat remediation. Coaches hold practice every day before the big game. It’s important for your team to give the playbook a test drive, to see if it’s up to snuff. Some things work better in theory than in practice. The only way to ensure your playbooks will work as intended – and are consistently up to date – is to put them through the gauntlet.

Flexible automation

If you’ve watched a football game in the last few years, you’ll notice there’s a flag about every two minutes. That’s because there is a standard for penalties – the rules clearly define infractions, which enables refs to make quick, decisive, nearly automatic calls. (Usually.) If a defender rips someone down by their facemask, a penalty automatically happens, the offense will gain yards, and the other team will likely accept the penalty. But there’s always that exception where they might not. You want to have this same level of flexible automation in your playbooks. There can be alerts and incidents that are so repetitive, nine out of ten times you can automate the necessary actions and close without an analyst even touching it. But for the unusual tenth instance, you want the ability to take the reins and have your analysts do what they do best.

The importance of a good cybersecurity playbook should not be understated. No team has ever been successful without carefully constructed and practiced ways to beat their opponent. Your SOC team shouldn’t be going into a battle without that same toolkit. The playbook is the difference between staring at a screen full of threats with confusion, or with the confidence that your SOC can get the job done as a team.