How to benefit from a cyber playbook
How to benefit from a cyber playbook

Cyber attacks are prolific.  We may be stating the obvious, but when the profuse number of attacks are coupled with the fact that they get more sophisticated every day, then the outcome is a security analyst's nightmare.  Although the field of cybersecurity is growing by leaps and bounds, the workforce necessary to support it cannot keep pace with demand. As a result, many organisations remain quite vulnerable to security threats.  The question has shifted from, “Will I be attacked?” to, “When the attack happens, will I be prepared?”

Especially problematic is the lengthy response time to security incidents.  Many recent high-profile attacks have revealed that successful remediation can take many weeks or months to complete. Overworked security analysts have organisations desperately seeking ways to make analyst time more efficient and productive by enabling them to use their skills to handle more complex tasks. One solution? Create a digital cyber playbook that harnesses automation and orchestration technologies.

A cyber playbook is a repository for specific “plays” that a security team can put into action upon attack. The foundation of a playbook is created through comprehensive network analysis and threat-response best practices.  By examining workflows and data directly from all relevant enterprise-wide devices, security specialists can document which tasks are being performed manually and routinely to form the basis of the playbook. Plays can be developed based on specific incident or threat types that then determine the workflows, tools, and processes analysts choose to respond with. Cyber playbooks allow such set courses of action to be unified in real time and combined for a variety of threat-response scenarios. Over time, the playbook grows to incorporate all simple and repeatable courses of action that can be synchronised at speed and scale. It allows analysts to remain in the decision-making chain, but diminishes the hours spent addressing routine tasks.

Take email phishing attacks.  An email with a credit card alert or other urgent message encourages the recipient to click a link. Once the link is opened, cyber attackers can gain access to vast amounts of personal data.  According to the Anti-Phishing Working Group, billions of phishing messages are distributed every month. Although only five percent of recipients respond, that five percent can cause an awful lot of damage—and cost a lot of money.  In fact, the recent phishing attack at St. Aldhelm's Academy in the UK resulted in the theft of more than a million pounds.

These kinds of attacks will continue, and no organisation can protect itself completely from infiltrations. But organisations do need to find a more efficient way of cleaning up after cyber incidents, and using an orchestration platform to execute the cyber playbook provides one such effective path. In the email phishing scenario for example, a cyber playbook could include orchestrated and automated processes that identify the full scope of users affected, provide a means to automate updates of block lists for malicious domains, send notifications to affected users, and begin remediation efforts using malware analysis. Digital workflows and automated recurrent responses allow analysts to act faster and perform fewer manual tasks, which enables them to focus on other more sophisticated threats.

If there is one thing we do know in this ever-changing cyber landscape, it's that the attacks keep coming. As an industry, we need to do all we can to help prepare those on the front lines and give them the tools they need to be successful and to go on to fight another day.

Contributed by Paul Nguyen, President of Global Security Solutions, CSG Invotas