Security Playbook Automation

Image may contain: Logo, Text, Font, Trademark, Graphics.

The ability to quickly identify and understand the nature of cyber threats as they emerge, but also act with agility in applying effective cyber controls to prevent and respond to continuously evolving cyberattacks is of undeniable importance.

If the typical time an attacker needs from the initial compromise to complete takeover of company infrastructures has been greatly reduced, it is of great necessity to also automate our response actions towards effective mitigation, containment, or outmaneuver of attacks.

In an era of proliferating cyberattacks,  CONCORDIA  with significant partnerships and collaboration has set a goal of providing cyber defenders with ways of responding to emerging cyberthreats in  cyber-relevant times . This requires partially or fully automating repetitive tasks in security operations and incident response. The University of Oslo, SIEMENS, and DFN-CERT through  CONCORDIA  unite their powers for developing technologies for sharing and automating courses of action for cyber defense.

Security playbooks  are a way of documenting knowledge acquired from particular security incidents and methodologies of processing and analyzing events triggered by a security solution. Most of the times, consumption of such playbooks in an automated fashion is impossible due to their non-standardized and non-machine-readable nature. In many cases, though, organizations of high-security maturity use proprietary technology to partially automate such playbooks.

Automation is a crucial enabler to information exchange and incident response. It is widely known that the task of receiving actionable information and appropriately responding in the light of this information in cyber-relevant times is quite challenging. Sharing security / response playbooks in a standardized way will allow organizations to consume such actions in response to an incident at machine time. Such playbooks can be shared as part of cyber threat intelligence such as CTI platforms like MISP (Malware Information Sharing Platform) or threat information sharing languages ​​like STIX (Structured Threat Information eXpression).This approach has many advantages such that analysts can reduce the time needed to validate an alert allowing them to handle many more incoming alerts and increase their confidence in responding to incidents,

CONCORDIA  is developing a flexible and adaptive machine-readable language for coordinating / orchestrating courses of action through security playbooks with a future plan to integrate proof of concept implementation of this work at MISP.

In support of this effort,  CONCORDIA  has also joined a new working group known as the Collaborative Automated Course of Action Operations for Cyber ​​Security (CACAO), where governments, organizations, and security vendors work together on standardizing security playbooks.


Author: Vasileios Mavroeidis

The article is available at: Concordia-H2020

By Vasileios Mavroeidis
Published Jan. 30, 2020 11:52 AM - Last modified Jan. 30, 2020 11:52 AM