What is an Incident Response Playbook?
Automation in security solutions has gained traction in the last 2-3 years and a SOAR solution is a prime example. SOAR stands for Security Orchestration, Automation, and Response. Without a doubt, automation is the need of the hour for an organization’s cyber security and SOAR rightly helps your SOC by enabling the internal security team to focus on serious and important events or incidents, instead of going through a plethora of events with no or minimal risk.
We have previously discussed two of the most important questions related to a SOAR solution i.e.
In this post, we will discuss incident response playbooks which are the backbone of a SOAR solution.
A SOAR solution has a set of standard use cases such as malware analysis, threat hunting, incident severity assignment, VPN Checks, phishing attacks, etc. Incident response playbooks ensure that the objectives of these use cases are met. An incident response playbook can be defined as a set of rules which get triggered due to one or more security events and accordingly, a pre-defined action is executed with input data.
For example, an employee receives a targeted email from an attacker containing malicious links. Immediately, the SOAR solution detects this event and triggers the corresponding playbook. This playbook examines the trustworthiness of the link and takes an action such as block the sender’s email from sending further email, log out the corresponding employee from his system, etc.
An ideal SOAR solution comes with a set of pre-defined and tested playbooks and depending upon further requirements of an organization, new playbooks can be created.
The answer to the above-given question is indeed affirmative and this sharing is often mutual where how a playbook is defined remains constant. We recommend must-have five components in a playbook –
