IBM Security Cloud Pak for Security

 View Only

Putting Security Playbook Design Back in the Hands of Security Analysts

By Raymond Suarez posted Wed May 05, 2021 12:13 PM


In my Product Management role at IBM, I’ve spent a considerable amount of time working with prospects and new customers. In my experience, it has not gone unnoticed that many security analysts come to IBM after struggling with the technical burden placed on them by competitor products that require extensive Python scripting just to automate the simplest paper-based security playbooks. These technical burdens also slow the evolution of playbooks at a time when security threats are morphing at an ever-increasing pace.

The new IBM Security SOAR Playbook Designer helps analysts graphically build the playbooks they need – not the playbooks that reside at the edge of their technical skills. The IBM Security SOAR Playbook Designer is the next step in the evolution of playbook design, allowing Security Analysts to graphically design conditions and subsequent activities.

Now that security teams can quickly and easily create all the playbooks they need, they can also manage their playbook library with the new Playbook Manager. The Playbook Manager displays all the available playbooks and their statuses while providing the ability to edit or create new playbooks.

IBM Security SOAR uses all the customizations in the playbook toolkit such as playbook activation conditions, tasks, functions, and scripts.  It also provides one central location of components that include:

  • Library - The playbook designer library provides access to customizations and conditional logic that you use to build your playbook.
  • Canvas - The canvas section of the Playbook Designer is the graphic interface where you design your playbook.
  • Detail panels - Panels provide information about the playbook or a selected item.
  • Global and local scripts - You can choose to use global scripts or write a local script specific to the playbook.
  • Function inputs - Similar to a function in a workflow, you can provide the input values to a function manually or programmatically.
  • Function output - Similar to a function in a workflow, the function's output data can be accessed by scripts invoked later in the playbook.

Each Case/Incident comes with a playbook progress bar to show the status of the playbook as the team progresses through the pre-established tasks. One playbook does not rule them all; package your playbooks into a powerful suite that allows reuse in multiple security scenarios by allowing one playbook to trigger other playbooks in a symphony of response.

The following are some simple scenarios to get you started and are guaranteed to increase your organization’s security posture:

  • Monitoring and Escalation - When a significant event occurs, applications connect to the IBM Security SOAR platform to escalate incidents from email, SIEMs, ticketing systems, and other sources, and include artifacts such as IP addresses, file hashes, URLs, usernames and machine names.
    The App Exchange contains two such apps, IBM Security SOAR (formerly Resilient) and IBM Security QRadar SIEM integrationand IBM Security SOAR (formerly Resilient) Integration for Splunk.
  • Identification and Enrichment - Automatic threat intelligence lookups, playbooks or workflows and menu-driven actions deliver valuable context, reduce time to identify scope and impact, enabling a rapid, decisive response. Trigger sandbox evaluation and build playbooks to act on the results. Search logs and endpoints and make decisions based on the data. Include Configuration Management Database (CMDB) and directory information to help analysts make accurate assessment of severity and impact. Pivot on these critical data elements to dynamically adjust the way your team responds.
  • Containment, Response and Recovery - Based on trigger conditions, or based on manual actions, the Resilient platform can send notifications or initiate external activities to contain and adjust your security posture as a part of your response playbook. The Ansible for IBM Security SOAR (formerly Resilient) app is an example of this type of app.
  • Communication and Coordination - By integrating beyond the SOC, users can coordinate a fast and effective incident resolution from the Resilient platform. Integrate bi-directionally with ticketing and service management, smart notifications, communication platforms and other business applications. Email is a good simple example of the communication and coordination aspect. See the description of the Outbound Email for IBM Security SOAR (formerly Resilient) app.

In addition, IBM Security SOAR Playbook Designer enables security teams to derive a return on investment. It helps streamline playbook creation and modification, delivers an intuitive single canvas experience, unifies process, integrations, and automations, and includes built-in startup and help experiences. Analysts can create detailed tasks and workflow elements from a single location and quickly process and transform threat/enrichment data without code to accelerate response times.

I believe IBM Security SOAR Playbook Designer empowers analysts of all skill levels to create, edit and customize playbooks within a short time, and reduce their struggles. Learn more about playbook designer here