Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Andy Singer
Andy Singer
Connect Directly
E-Mail vvv

For a Super Security Playbook, Take a Page from Football

Four key questions to consider as you plan out your next winning security strategy.

The Big Game is just days away. Whether it’s the Patriots or Rams who win the Super Bowl, we know for sure that the end of the season brings with it a period of turnover and uncertainty - feelings familiar to many of us in cybersecurity.

After trophies and parades, bloggers and talk radio turn to a favorite staple: forecasting which teams' assistants will earn head coaching jobs based on the perceived power of their playbooks. This parallels playbook buzz in security, in which a host of community voices are touting playbook-style approaches to security challenges, from expediting repetitive tasks to identifying malware to simulating attackers. Playbooks appeal to the emotional needs of anyone facing high-stakes, must-win scenarios, whether in a stadium or a security operations center (SOC). It is only natural to seek an edge by studying someone's winning formula.

Yet history is full of coaches taking a winning scheme to a new city, where their vaunted playbooks fall short because of different talent, timelines, and owner idiosyncrasies. The same applies to security leaders. So how can you avoid that outcome? Here are four key questions to ask as you study your playbook options.

1. What Does Your Organization Look Like?
Playbooks are supposed to create mismatches - but not in locker rooms and team meetings. Many a coaching guru finds it hard aligning trainers, scouts, general managers, and players around their strategies.

However, there are no "rebuilding years" in cybersecurity. Every new tool or formula you introduce has to make a positive difference from Day One. Make sure any playbook approach you are signing up for pairs well to your team, as well as executive sponsors' culture and timetable. What are the stakes? If you just received the resources to pick up MITRE ATT&CK and tinker with a few offensive exercises, that has very different blowback risks compared with swapping out part of your production security stack. Make sure you are on the same frequency with "owners" so that everyone can be upfront about purpose, needs, and benefits.

2. Is It Your Playbooks - or the Play-Calling?
The entire premise of a playbook's value is the idea that a valid body of experience and community - coaches, athletes, or security experts - found that "in situation [X], action [Y] is usually the most productive option." On the gridiron, it could be a designated quarterback run out of a four-receiver set to fool the defense. On a network, it could be rapidly initiating processes to find and contain files meeting a range of attributes before a payload detonates. But how do you know which play to call and when?

Coaches rely on sideline or press box views to compare what their eyes see with options on a clipboard. In the SOC, the field of action is defined by the complex plumbing of layered security products’ consoles, threat intelligence feeds, SIEM dashboards, and other monitors. Hiccups and misalignment in this plumbing prevent security coaches from knowing the true "down and distance," offsetting any playbook's value. Before replacing your plays, make sure you are calling the game with clear eyes and ears.

3. Do Position Coaches and Players Think?
The best coaches adapt systems to fit their players' unique mix of skills and experience. The same is true in cybersecurity. When you go all-in on a new playbook, you are bound to introduce new roles and assignments. Staff will have to shift how they spend their time, get trained on new tools, or become comfortable handing some of their work over to software. Seek out the players and coaches on your team who will tackle these changes head-on.

In football, certain plays are routine, such as a running play meant to gain at the last five yards. Similarly, in security many plays are routine, too, like updating rulesets and filters. The outcome of the game does not hang in the balance. Conversely, just like a blocked punt or kick-off return for a touchdown can change the whole complexion of the game, as the cliché goes, SOC teams need to make sure new wrinkles like automation and playbook twists do not trip up the most important things to execute when they matter most.

4. What Do the Numbers Say?
In the metrics-driven sports world, scoreboards are all that matter. If a newly installed offense coincides with a spectacular season, fans thank the playbook before wondering whether fewer injuries or rival teams' down years made the difference.

Unfortunately, there are no universal closing whistles or scoreboards in the art and science of cyber risk. Wins and losses are subjective labels handed out according to organizations' different risk tolerances, assets, and industries. Security leaders have to crunch the right numbers necessary to give boardroom and C-suite decision-makers both skybox and sideline views of the game. Before you swap out playbook code or approaches, consider how they impact the data you must or want to collect and compare.

Vital numbers can take many forms. Consider immediate hard figures, like the rate of incidents detected and investigated and time to remediation but press for a sense of incident responders time and stress level as well. There needs to be sound correlation. If a playbook seems to be crushing the numbers but the team still feels overwhelmed or unsure whether new actions are getting to the root cause of issues, you might not have the metrics necessary to back up your coaching decisions so you'll still need to press playbook developers for improvements.

Winning Strategy
In sports and cybersecurity, change management is the true test of champions. Players get hurt, free agency steals veterans, and opponents get stronger. In every organization, shifts in the business, IT fabrics, and third-party risks constantly send us back to the whiteboard. Accept that no playbook can replace leadership, bypass all constraints, or anticipate the fundamentally unthinkable.

I am optimistic about playbooks these days. Many of us in security were drawing our own plays up in the dirt years ago, comparatively speaking, so the advent of engaged collaboration and communities distilling new security workflows is a good thing. But we need to keep any playbook in perspective. Focus on what improves your day-to-day outcomes, but be careful of falling into a near-sighted obsession with tactics in a game where alignment and organization are the variables between you and success.

Related Content:

Andy Singer is a security industry veteran, with more than 20 years of experience igniting growth, bringing products to market, and entering new markets while also developing strong customer relationships. Prior to joining enSilo, Andy held global marketing leadership roles ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/31/2019 | 11:14:36 PM
Reasonable parallel
I'm agree. 

Attackers are very  innovative indeed in several aspects. 

We need to reconsider the situation on daily basis and be more innovative too. 

Great article, Thanks
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...