Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Andy Singer
Andy Singer
Connect Directly
E-Mail vvv

For a Super Security Playbook, Take a Page from Football

Four key questions to consider as you plan out your next winning security strategy.

The Big Game is just days away. Whether it’s the Patriots or Rams who win the Super Bowl, we know for sure that the end of the season brings with it a period of turnover and uncertainty - feelings familiar to many of us in cybersecurity.

After trophies and parades, bloggers and talk radio turn to a favorite staple: forecasting which teams' assistants will earn head coaching jobs based on the perceived power of their playbooks. This parallels playbook buzz in security, in which a host of community voices are touting playbook-style approaches to security challenges, from expediting repetitive tasks to identifying malware to simulating attackers. Playbooks appeal to the emotional needs of anyone facing high-stakes, must-win scenarios, whether in a stadium or a security operations center (SOC). It is only natural to seek an edge by studying someone's winning formula.

Yet history is full of coaches taking a winning scheme to a new city, where their vaunted playbooks fall short because of different talent, timelines, and owner idiosyncrasies. The same applies to security leaders. So how can you avoid that outcome? Here are four key questions to ask as you study your playbook options.

1. What Does Your Organization Look Like?
Playbooks are supposed to create mismatches - but not in locker rooms and team meetings. Many a coaching guru finds it hard aligning trainers, scouts, general managers, and players around their strategies.

However, there are no "rebuilding years" in cybersecurity. Every new tool or formula you introduce has to make a positive difference from Day One. Make sure any playbook approach you are signing up for pairs well to your team, as well as executive sponsors' culture and timetable. What are the stakes? If you just received the resources to pick up MITRE ATT&CK and tinker with a few offensive exercises, that has very different blowback risks compared with swapping out part of your production security stack. Make sure you are on the same frequency with "owners" so that everyone can be upfront about purpose, needs, and benefits.

2. Is It Your Playbooks - or the Play-Calling?
The entire premise of a playbook's value is the idea that a valid body of experience and community - coaches, athletes, or security experts - found that "in situation [X], action [Y] is usually the most productive option." On the gridiron, it could be a designated quarterback run out of a four-receiver set to fool the defense. On a network, it could be rapidly initiating processes to find and contain files meeting a range of attributes before a payload detonates. But how do you know which play to call and when?

Coaches rely on sideline or press box views to compare what their eyes see with options on a clipboard. In the SOC, the field of action is defined by the complex plumbing of layered security products’ consoles, threat intelligence feeds, SIEM dashboards, and other monitors. Hiccups and misalignment in this plumbing prevent security coaches from knowing the true "down and distance," offsetting any playbook's value. Before replacing your plays, make sure you are calling the game with clear eyes and ears.

3. Do Position Coaches and Players Think?
The best coaches adapt systems to fit their players' unique mix of skills and experience. The same is true in cybersecurity. When you go all-in on a new playbook, you are bound to introduce new roles and assignments. Staff will have to shift how they spend their time, get trained on new tools, or become comfortable handing some of their work over to software. Seek out the players and coaches on your team who will tackle these changes head-on.

In football, certain plays are routine, such as a running play meant to gain at the last five yards. Similarly, in security many plays are routine, too, like updating rulesets and filters. The outcome of the game does not hang in the balance. Conversely, just like a blocked punt or kick-off return for a touchdown can change the whole complexion of the game, as the cliché goes, SOC teams need to make sure new wrinkles like automation and playbook twists do not trip up the most important things to execute when they matter most.

4. What Do the Numbers Say?
In the metrics-driven sports world, scoreboards are all that matter. If a newly installed offense coincides with a spectacular season, fans thank the playbook before wondering whether fewer injuries or rival teams' down years made the difference.

Unfortunately, there are no universal closing whistles or scoreboards in the art and science of cyber risk. Wins and losses are subjective labels handed out according to organizations' different risk tolerances, assets, and industries. Security leaders have to crunch the right numbers necessary to give boardroom and C-suite decision-makers both skybox and sideline views of the game. Before you swap out playbook code or approaches, consider how they impact the data you must or want to collect and compare.

Vital numbers can take many forms. Consider immediate hard figures, like the rate of incidents detected and investigated and time to remediation but press for a sense of incident responders time and stress level as well. There needs to be sound correlation. If a playbook seems to be crushing the numbers but the team still feels overwhelmed or unsure whether new actions are getting to the root cause of issues, you might not have the metrics necessary to back up your coaching decisions so you'll still need to press playbook developers for improvements.

Winning Strategy
In sports and cybersecurity, change management is the true test of champions. Players get hurt, free agency steals veterans, and opponents get stronger. In every organization, shifts in the business, IT fabrics, and third-party risks constantly send us back to the whiteboard. Accept that no playbook can replace leadership, bypass all constraints, or anticipate the fundamentally unthinkable.

I am optimistic about playbooks these days. Many of us in security were drawing our own plays up in the dirt years ago, comparatively speaking, so the advent of engaged collaboration and communities distilling new security workflows is a good thing. But we need to keep any playbook in perspective. Focus on what improves your day-to-day outcomes, but be careful of falling into a near-sighted obsession with tactics in a game where alignment and organization are the variables between you and success.

Related Content:

Andy Singer is a security industry veteran, with more than 20 years of experience igniting growth, bringing products to market, and entering new markets while also developing strong customer relationships. Prior to joining enSilo, Andy held global marketing leadership roles ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
1/31/2019 | 11:14:36 PM
Reasonable parallel
I'm agree. 

Attackers are very  innovative indeed in several aspects. 

We need to reconsider the situation on daily basis and be more innovative too. 

Great article, Thanks
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the fir...
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious web page it could allow for a complete takeover of the router.
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject arbitrary JavaScript into the router's web interface via the "echo" command.
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose t...