Would Tom Brady go into a Super Bowl without a playbook? Having a cybersecurity playbook is no different. In a truly proactive security approach, it outlines how to handle various security situations around a specific environment. Due to the custom nature of playbooks, creating and building one should be one of the first steps when kicking off a security plan.
What does a playbook cover?
Also known as an “Incident Response Playbook”, a cybersecurity playbook is a collection of predetermined responses to a specific type of security event. Example responses include:
- Phishing Attack
- Unauthorized Domain Admin Access
- Ransomware Attack
- Malware Infection
- Simultaneous Logins
While many organizations will create responses to the same attacks, the first thing to know is that playbooks are not one size fits all. Every organization is different and requires a custom playbook for the exact setup and tools in place. Having clear understandings of the entire infrastructure and roles of the team are keys to developing a complete playbook.
As an MSSP, we begin creating playbooks in the first phases of onboarding a customer. It opens communications and expectations for both parties while guiding the rest of the implementation, configuration and ongoing management. If you’re not working with a security service to help, we’ll share some secrets to creating your own cybersecurity playbook.
How to build a playbook.
The beauty of an incident response playbook is that it is completely custom to an environment. Sure, playbooks can be adapted from one to another, but at the end of the day each is built around one environment – and you know yours best. The following are four simple questions from ISACA that outlines what the playbook needs to cover.
- What is the organization trying to protect?
- What are the threats?
- How does the organization detect them?
- How does the organization respond to threats?
Keep in mind that it is a comprehensive playbook. Document every threat and response in detail to ensure all threats and attacks are handled properly going forward.
Tips for customizing a cybersecurity playbook.
With customization a crucial component in a successful incident response playbook, we asked Jon-Michael Lacek, cybersecurity expert on his top tips for customizing your own:
- Don’t re-invent the wheel, start with a generic template based on the security event you are developing a playbook for. Yes, it will still need to be edited for your unique environment, but that doesn’t mean you can’t use templates as a foundation.
- Never let an event go to waste. Did you get stuck, or find yourself asking additional questions to paint the overall picture of what was taking place within an alert? Use all events as learning opportunities to continuously improve plays.
- Where did you obtain the additional context? Existing tools? Online resources? Document everything for a complete understanding.
- Automate where possible. Do playbooks share similar tasks? Determine which ones are called upon the most and if possible, automate that task.
Use the tips above to successfully create your own (trust us, you’ll be thankful later). And don’t forget that playbooks are practice and preparation for attacks, the Super Bowl of the cybersecurity world. Once built, explore other areas of Brite’s security approach.