Security Playbook Automation
The ability to quickly identify and understand the nature of cyber threats as they emerge, but also act with agility in applying effective cyber controls to prevent and respond to continuously evolving cyberattacks is of undeniable importance.
If the typical time an attacker needs from the initial compromise to complete takeover of company infrastructures has been greatly reduced, it is of great necessity to also automate our response actions towards effective mitigation, containment, or outmaneuver of attacks.
In an era of proliferating cyberattacks, CONCORDIA with significant partnerships and collaboration has set a goal of providing cyber defenders with ways of responding to emerging cyberthreats in cyber-relevant times . This requires partially or fully automating repetitive tasks in security operations and incident response. The University of Oslo, SIEMENS, and DFN-CERT through CONCORDIA unite their powers for developing technologies for sharing and automating courses of action for cyber defense.
Security playbooks are a way of documenting knowledge acquired from particular security incidents and methodologies of processing and analyzing events triggered by a security solution. Most of the times, consumption of such playbooks in an automated fashion is impossible due to their non-standardized and non-machine-readable nature. In many cases, though, organizations of high-security maturity use proprietary technology to partially automate such playbooks.
Automation is a crucial enabler to information exchange and incident response. It is widely known that the task of receiving actionable information and appropriately responding in the light of this information in cyber-relevant times is quite challenging. Sharing security / response playbooks in a standardized way will allow organizations to consume such actions in response to an incident at machine time. Such playbooks can be shared as part of cyber threat intelligence such as CTI platforms like MISP (Malware Information Sharing Platform) or threat information sharing languages like STIX (Structured Threat Information eXpression).This approach has many advantages such that analysts can reduce the time needed to validate an alert allowing them to handle many more incoming alerts and increase their confidence in responding to incidents,
CONCORDIA is developing a flexible and adaptive machine-readable language for coordinating / orchestrating courses of action through security playbooks with a future plan to integrate proof of concept implementation of this work at MISP.
In support of this effort, CONCORDIA has also joined a new working group known as the Collaborative Automated Course of Action Operations for Cyber Security (CACAO), where governments, organizations, and security vendors work together on standardizing security playbooks.
Author: Vasileios Mavroeidis
The article is available at: Concordia-H2020