Cybersecurity In-Depth

The Edge

How Do Playbooks Help CISOs Improve SecOps?

Extended detection and response (XDR) solutions have evolved to offer automated tools, such as playbooks, that enhance context and response.

Question: How are playbooks useful in SecOps?

Aimei Wei, founder and CTO, Stellar Cyber: Every day brings a new solution for CISOs to consider. Unfortunately, blending the insights these tools offer and using them to answer tough questions from the board and analysts is challenging. CISOs need more encompassing SecOps solutions that are based on context and insights, not just another acronym that promises to solve every security threat. That's where automated techniques like playbooks come in.

Put simply, traditional SecOps techniques cannot combine all of the alerts and insights each tool gives into an easily understood report. For instance, an identity management tool is useful — it flags unauthorized access or expired access credentials. However, it doesn't connect such insights to the bigger picture. Which alerts deserve priority based on the asset's risk? How do you weed out false positives? CISOs need answers but often have to manually put the pieces together.

Playbooks are usually used in the context of security orchestration, automation and response (SOAR). Playbooks in SOAR products mostly focus on automating the process of how a SOC analyst triages an alert. Users have to develop a specific playbook to triage a specific alert or group and correlate a group of alerts. After the triage of alerts, playbooks can also incorporate an organization's policy and take some actions.

Lately, extended detection and response (XDR) solutions have evolved to offer CISOs more context. XDR provides visibility into the entire attack surface while correlating alerts to reduce the manual work required. Playbooks can also offer insights into better root cause analysis, boosting analyst productivity.

With XDR, a lot of alert triaging, grouping, and correlating has been done automatically using artificial intelligence (AI) and machine learning (ML) without the user having to develop specific playbooks. Playbooks in XDR focus on automating the responding actions for various correlated alerts with contexts already provided by the system to the analyst.

Using AI and ML algorithms to group alerts provides faster attack detection, thanks to everything showing up on a single console — a vast improvement over legacy tech that requires analysts to check disparate systems. And response automation can execute tasks when certain conditions are met, such as shutting down firewall ports upon detecting network threats. Automated workflows like that can be compiled into an XDR playbook, which allows a SecOps team to automate its response when questionable situations arise.

Given the rapid pace of AI research and development, it's only a matter of time before XDR incorporates predictive AI analytics to offer context to threats and recommended actions. Predictive AI can flag analytics around information collected, vulnerabilities in the system, and misconfigurations for human SecOps analyst review, and then send out automated responses. While cost and ROI might place predictive AI beyond the reach of everyone except larger enterprises right now, we can expect democratization in the future, opening the field to organizations of all sizes.