Today, organizations face a complex cyber threat landscape with evolving, more sophisticated attacks. Consequently, companies are preparing themselves by developing an incident response playbook to help them identify the threat, quickly act, and respond to the threat effectively.
An incident response playbook brings together applications and teams into a common workflow so that the organization can respond to a threat faster, recover efficiently, and be more resilient in the future.
What is an incident response playbook?
A playbook or runbook is a series of pre-defined steps organizations should perform when an incident occurs. It’s similar to a flowchart with conditions.
Playbooks are purposefully built to cater to a particular incident or scenario. For example, a playbook for responding to a data breach will differ from a playbook for getting systems back online after a network outage.
Rishi Bhargava, VP of Product Strategy, Palo Alto Networks states:, “There is a big misconception that playbook means everything is automated…” A playbook might contain steps that are automated, but certain steps could be manual too. The responsible team or individual must perform the manual steps in the manner defined in the playbook.
After you have defined the steps in your playbook, you can work toward automating some of the steps by integrating the applications involved in each step. The more you automate, the faster you can respond to the threat. However, it’s important to remember that you might not be able to automate everything. Critical steps might still require manual intervention.
How incident response playbooks benefit organizations
Consistency of actions
Whenever you follow a set of pre-defined processes for a task, you are assured that the flow is maintained irrespective of the person undertaking the task. If something goes wrong, it’s easy to trace back and find out the reason because protocols and steps are recorded and documented along the way.
Automation brings efficiency and speed
When processes are automated, the response is much faster as there is less human intervention involved.
Reduces human errors
During a cyber threat, mistakes can be costly. As automation ensures most of the workflow is completed, humans can focus solely on the critical pieces that require their attention.
Promotes team collaboration
Steps in an incident response playbook can span across multiple teams such as IT, data security, network operations, and so on. As the steps are intertwined, all teams must come together to understand who is responsible for which step and how their applications integrate and pass data between each other.
Scenarios where you can use these playbooks
Identifying a threat
Every alert that a security tool generates must be checked to identify if it’s really a threat. You can fetch information, such as the owner of the data, when the data was last backed up, or which location at which the data was accessed, using applications like Druva. This information can then be fed into a security automation tool like Cortex XSOAR from Palo Alto Networks. Once the security tool has processed the data, it can determine if it’s a real threat before initiating the next set of steps.
Containing an incident
Restricting the infection to a few data sources is a crucial step in defending against a cyber attack. Your playbook can specify how to take a device or server offline as soon as your network management tool detects anomalous network behavior.
Conducting deep forensics
You should use a playbook to pull information from several applications that can help uncover how and when you were attacked by ransomware. The playbook can consolidate this information into a CSV file and email it to stakeholders for analysis of the gaps that need to be filled.
After you have manually deleted the malware from the infected data, you can use a playbook to automatically restore all quarantined data to its respective locations.
Can you create your own incident response playbook?
Absolutely, yes! Rishi of Palo Alto Networks mentions that Cortex XSOAR, a security automation tool, has several use case-specific sample playbooks available for use. However, if you want to make changes to the playbook to suit your organization’s requirements, you have the flexibility to customize it per your needs and protocols.
You can also combine steps from multiple sample playbooks to build your own custom playbook.
Similarly, some of the applications that you already use today might also have their own playbooks you can explore. Rishi believes that Druva’s app in the Cortex XSOAR marketplace can be a good starting point for organizations looking to defend themselves against ransomware.
Watch this 15 minute video where he talks to Prem Ananthakrishnan, VP Product at Druva, on creating playbooks and their value to today’s organizations. And watch Druva’s Cyber Resilience Virtual Summit 2021, now available on demand. In eight 10-15 minute sessions, security leaders, Druva experts, and industry peers discuss how to ensure ransomware is no more than a minor inconvenience. When your data is taken hostage, you need the right people on your team to get it back with confidence.
What does the future hold?
Rishi believes that we are at the beginning of the security automation space. As time progresses, he thinks that along with Druva, Cortex XSOAR can address far more advanced use cases, such as:
- Timeseries analysis
- Recovery orchestration
- Insider threat management
Learn more about how The Druva Data Resiliency Cloud ensures data integrity with air-gapped, truly immutable backups that make it impossible for ransomware to execute in your backup environment.