Why playbooks belong in every agency’s cyber toolkit
- By Greg Kushto
- Mar 09, 2017
IT professionals live in a world of constant change where threats and technologies evolve every day. Nowhere is that more true than in government IT departments, which often face the added challenges of complicated infrastructure, budget limitations and skills shortages.
It’s common to see agencies running various overlapping and sometimes incompatible security technologies. This creates obvious challenges in the event of a cyberattack -- and it’s why every agency needs a playbook.
Playbooks are repositories of automated cybersecurity responses or “plays” -- in other words, a handbook of processes for responding to specific security incidents. They overlay the entire network and can be combined and initiated automatically to thwart cyber threats, even for incompatible network technologies. Used well, the adaptability and integrated nature of playbooks could revolutionize government IT.
Improve incident response times
The traditional response to a cyber attack requires that analysts first spot the threat and then manually fire up five or six security tools. Next, they run a virus check and wait for it to finish, and review the server logs -- a time-consuming task without which no remedy can be achieved.
However, playbooks allow organizations to automatically run any security tools required to fight an attack and then present the findings to an analyst. This, in turn, saves time and energy for that analyst, who instead can concentrate on determining the best remedy. Moreover, it lessens the risk of human error: Because computers are more adept at these jobs, organizations can decrease their threat response time and improve their threat response overall.
Deliver standardized responses
People rarely discuss the importance of standardized attack responses. Yet such responses fall right into government’s sweet spot.
Think of it this way: Analysts are humans, not computers. They each have different skillsets, backgrounds, experiences and, as a result, different ways of doing things. As such, two analysts might investigate the same incident in completely different ways -- delivering completely different outcomes.
Playbooks eradicate this problem by helping staff carry out tasks the same way every time. The resulting process improves efficiency and transparency in the fight against cybercrime.
Develop cyber talent
A standardized cybersecurity approach also makes it easier to train security analysts.
Security today is more art than science. Analysts are experts in specific areas, but rarely the whole environment, because they’ve learned everything they know through on-the-job experience. If that analyst leaves -- or simply calls in sick -- it creates trouble for the rest of the team, which is forced to figure out how he or she approached incident investigation.
Training often focuses on junior analysts shadowing existing security analysts to gain experience. As such, junior analysts learn as they go, ultimately developing their own methodologies and, often, their own work-style quirks. This system, however, makes it difficult for new analysts to get a well-rounded security education.
A standard cybersecurity approach keeps current and future cyber talent on the same page and gives new analysts a consistent security curriculum.
Playbooks also allow people who are new to security to manage data that is already being produced by an organization’s security tools. They can be entrusted with analyzing this data and then passing what’s relevant on to someone more senior. And while they may not understand every step of the process, the playbook can ensure they understand what data matters most and why.
Government agencies work hard to stay ahead of cybercriminals, but working hard isn’t always enough -- they also must work smarter. Playbooks provide a great opportunity to meet this goal by automating and standardizing the security process even amidst change.
The result? Analysts can focus on decision making and problem solving.
Greg Kushto is director of security and enterprise networking at Force 3.