How Automation Playbooks Double Down on the Value of SOARs
So you’ve set up a Security Orchestration, Automation and Response (SOAR) platform. You’re now ready to detect, respond to and remediate whichever threats cyberspace throws at you, right?
Well, not necessarily. In order to deliver their maximum value, SOAR tools should be combined with playbooks, which can be used to drive SOAR systems and ensure that SOARs remediate threats as quickly as possible — in some cases, without even waiting on humans to respond. You don’t strictly need playbooks to use SOAR, but SOAR playbooks help SOARs to do their jobs faster and more efficiently.
Here’s a look at the role that playbooks play in security orchestration, automation and response, and how they double the value of a SOAR.
What Is a SOAR and How Does It Work?
A SOAR is a security tool or platform where engineers can centrally identify and respond to security risks. The purpose of a SOAR is to help organizations streamline and coordinate the various activities that factor into security operations.
SOARs are similar in some respects to Security Incident and Event Management (SIEM) tools. However, whereas the main purpose of a SIEM is to detect threats, SOARs add functionality for managing threats and response operations.
Although there is some variation between SOARs, most SOARs work by providing the following key types of functionality:
- The ability to collect and interpret data to detect security risks and breaches.
- Collaboration features that help stakeholders cooperate during the response process.
- Incident management tooling, for keeping track of who is doing what as incident response is underway.
- Integration with various other tools that might form part of a security workflow.
Some SOARs provide additional features, such as threat intelligence (which helps teams understand threats) and incident reporting (to generate reports following incidents).
What Is a SOAR Playbook?
A SOAR playbook is a set of processes that defines how to respond to a certain type of security incident.
For example, a SOAR playbook for a DDoS attack might define:
- Which alerts or conditions within network monitoring data trigger execution of the playbook.
- Whom to notify about the DDoS attack.
- How to redirect traffic while the attack is underway in order to mitigate its impact.
- How to update firewall rules to block the attack.
- Which tests to run to validate that the attack has been successfully remediated.
Benefits of SOAR Playbooks
Again, you don’t necessarily need a SOAR playbook in order to use a SOAR. You can take advantage of the security management, orchestration and collaboration features of a SOAR without having playbooks in place.
However, by spelling out the procedures surrounding each of these steps, SOAR playbooks allow teams to react more quickly and efficiently to incidents. Without a playbook, the team would need to devise a response plan for each incident as it arises, a process that would take time and delay resolution of the incident.
On top of this, using a SOAR without a playbook would leave teams prone to mistakes or oversights. Playbooks spell out everything that needs to happen in response to a certain incident, minimizing the risk that teams will forget to perform a step critical to definitively resolving the incident, or that they will fail to take effective steps to mitigate the incident’s impact while response is underway.
You can’t develop a playbook for every possible security incident ahead of time, of course. Sometimes, you’ll face attacks that you just didn’t anticipate. But the vast majority of incidents are predictable and can be managed using playbooks.
Automated vs. Human-in-the-Loop Playbooks
In some cases, SOAR playbooks can be used to drive totally automated incident response. This is particularly true in the case of playbooks that address relatively uncomplicated incidents, such as blocking a malicious external host or isolating a compromised endpoint from the rest of the network. In these situations, SOARs can automatically update firewalls to make the necessary changes.
In more complex scenarios, however, SOAR playbooks may only partially automate operations, while requiring human input to complete the full workflow. For example, a SOAR playbook that addresses a ransomware breach could automatically isolate machines infected with the ransomware and alert stakeholders, but leave it up to humans to determine whether they want to pay the ransom or restore systems by hand. Since a decision like this is likely to involve a lot of complex factors (such as the extent of the breach, the type of ransomware and whether clean data backups are available for compromised systems) that are hard to predict ahead of time, it’s not something you’d want to automate fully in most cases.
Conclusion: Get More from Your SOAR with Playbooks
SOARs are powerful tools on their own. But they’re even more powerful when paired with playbooks that automate security response operations. Although complete automation is not possible for every playbook, automating as much as you realistically can will save time and minimize the risk of errors that could undercut the effectiveness of your security operations.