Five Security Automation Playbooks that Pack a Powerful Punch

Can these five simple “utility playbooks” for security automation provide as much value as their larger, more complex counterparts?

I was in Washington, D.C. a few weeks ago for a Security Automation & Orchestration User Conference. (Disclosure: It was Phantom’s conference and I am an employee.)

More than 100 guests attended the event, sharing automation playbooks, apps to connect security products to Security Automation & Orchestration platforms, and advice based on their experience as users. They shared interesting use cases with sophisticated automation involving decision-making logic, human prompts, and playbooks that executed actions to investigate events and even remediate them. It’s always inspiring to see how users are testing the limits of a new technology and using it in ways that you may not have considered yourself.

While Security Automation & Orchestration platforms are certainly equipped to handle complex use cases, it’s not the only way to automate. Simple tasks often thought of as daily annoyances are also perfect for automation; “utility playbooks” as one user coined them. These small playbooks pack a powerful punch.

The user conference offered a great opportunity to explore utility playbooks concepts, so we ran an informal survey with the group. I thought it would be interesting to share a few examples.







1. Event triage

Event triage was the most popular concept discussed. Manually triaging events (e.g. quickly checking the deposition of a file, IP address, or hostname) is a simple, yet time-consuming process and automation can help reduce the time spent gathering this data. Users think this example is useful and it’s also one that around three-quarters of them have put into practice.

2. Creating and updating work tickets

Another popular candidate for utility playbooks is creating and updating work tickets. Some claim the interfaces of many case management tools aren’t very “user friendly,” plus the cutting/pasting of information between screens reduces their efficiency. Using automation to manage ticket tracking enables cases to be updated more frequently and easily, ultimately resulting in better audibility and metrics to share with the security team and executives. This example also scored well in usefulness, though only about two-thirds of the users claimed to be doing it.

3. Threat Intelligence recursive investigations

This was a third concept discussed. Analysts often spend valuable time reviewing historical data to determine if they have a been affected by a published IOC (Indicator of Compromise), with the task typically resulting in no findings. It was still considered useful by the group, though less than half of them claimed to actually be doing it.

4. Checking antivirus alerts and validating false positives

The fourth utility playbook concept discussed involves checking antivirus alerts and validating false positives. Analysts think this is boring, repetitive work, but understand that it is necessary to ensure other malware components haven’t been installed. The task often results in negative findings or scanning a system with additional tools. This example ranked in the “middle of the pack” in terms of usefulness with about one-third of the users practicing it.

5. Vulnerability reporting and alerting

Of the five concepts presented, this one finished at the bottom of the list in terms of usefulness, though it did score slightly higher than checking antivirus alerts and validating false positives when gauging who is actually doing it. Reviewing vulnerability reports (e.g. history of the system in question) and identifying the system/business owner is a tiring task. Automating this task reduces repetitive work and allows the security team to focus on more pressing issues.

The use cases that can be addressed with Security Automation & Orchestration are nearly limitless, and users are reporting improvements in efficiency and consistency. Though many of the early use cases are focused on incident response, an extensible Security Automation & Orchestration platform can easily support other domains including vulnerability management, user management, penetration testing, intelligence sharing, and more.

While many processes we seek to automate are complex and require sophisticated playbooks, simple utility playbooks like the examples above can also make a meaningful impact and drive greater SOC efficiency.

This article originally appeared on CSO Online as part of the IDG Contributor Network.

CP Morey

Posted by


Show All Tags
Show Less Tags