Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

How Do Playbooks Help CISOs Improve SecOps?

Question: How are playbooks useful in SecOps?

Aimei Wei, founder and CTO, Stellar Cyber: Every day brings a new solution for CISOs to consider. Unfortunately, blending the insights these tools offer and using them to answer tough questions from the board and analysts is challenging. CISOs need more encompassing SecOps solutions that are based on context and insights, not just another acronym that promises to solve every security threat. That’s where automated techniques like playbooks come in.

Put simply, traditional SecOps techniques cannot combine all the alerts and insights each tool gives into an easily understood report. For instance, an identity management tool is useful — it flags unauthorized access or expired access credentials. However, it doesn’t connect such insights to the bigger picture. Which alerts deserve priority based on the asset’s risk? How do you weed out false positives? CISOs need answers but often have to manually put the pieces together.

Playbooks are usually used in the context of SOAR. Playbooks in SOAR products mostly focus on automating the process of how a SOC analyst triages an alert. Users have to develop a specific playbook to triage a specific alert or group and correlate a group of alerts. After the triage of alerts, playbooks can also incorporate an organization’s policy and take some actions.

Lately, extended detection and response (XDR) solutions have evolved to offer CISOs more context. XDR provides visibility into the entire attack surface while correlating alerts to reduce the manual work required. Playbooks can also offer insights into better root cause analysis, boosting analyst productivity.

With XDR, a lot of alert triaging, grouping, and correlating have been done automatically using AI and machine learning without the user having to develop specific playbooks. Playbooks in XDR focus on automating the responding actions for various correlated alerts with contexts already provided by the system to the analyst.

Using AI and ML algorithms to group alerts provides faster attack detection, thanks to everything showing up on a single console — a vast improvement over legacy tech that requires analysts to check disparate systems. And response automation can execute tasks when certain conditions are met, such as shutting down firewall ports upon detecting network threats. Automated workflows like that can be compiled into an XDR playbook, which allows a SecOps team to automate its response when questionable situations arise.

Given the rapid pace of AI research and development, it’s only a matter of time before XDR incorporates predictive AI analytics to offer context to threats and recommended actions. Predictive AI can flag analytics around information collected, vulnerabilities in the system, and misconfigurations for human SecOps analyst review, then send out automated responses. While cost and ROI might place predictive AI beyond the reach of everyone except larger enterprises right now, we can expect democratization in the future, opening the field to organizations of all sizes.

Related News

Portion of Twitter’s proprietary source code leaked on GitHub

Portion of Twitter’s proprietary source code leaked on GitHub

Reportedly, the source code remained public for several months before being taken down by GitHub. According to a news report…
Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

At Pwn2Own 2023, participants were awarded a full bounty (more than $1,000,000) in each round for successful exploits. Pwn2Own, as…
Latitude Financial Data Breach: 14 Million Customers Affected

Latitude Financial Data Breach: 14 Million Customers Affected

The Australian consumer lender, Latitude Financial, has suffered a major cyber attack, leading to a data breach of passport and…