Gartner Blog Network


Canned Playbooks: Are They Realistic?

by Anton Chuvakin  |  March 15, 2019  |  1 Comment

One of the new ideas we had for a 2019 research paper is something clients often (well, often–ish) ask about: what to do if you encounter a particular threat or a type of an incident? A sort of a playbook for confirmation, investigation and response to a particular threat type.

Naturally, most threats in real life would be relatively mundane and – here I will make a faux pas and call “a threat actor” a threat – not of the “OMG I MET A GOTHIC PANDA IN A DARK ALLEY” variety. You know, of the non-targeted / non-APT variety. So the list of the situations is finite and easily enumerable.

Now, admittedly SOAR vendors are doing this, with modicum of success. But even their playbooks suffer from the below problem and few if any are truly usable without changes.

So, here is our conundrum:

I. Such a project is realistic [but useless] at a high level of abstraction.

II. Such a project is likely unrealistic at a low level of abstraction since most people use different tools.

Here, choice #I
  1. Receive an indication of malware
  2. Confirm indication
  3. Remove malware.
  4. <eh? this is a waste of time!>

Now, choice #II

  1. See an alert in your SIEM (brand A) that says <this>
  2. Look at the field called <that>
  3. Use this EDR tool (brand B) that can …
  4. <loses patience, realizes the futility of this and leaves>

I’ve utilized the above logic as an excuse to not try it. However, organizations that are only starting their security operations, detection and response journeys are asking for it more and more.

So:

  • Do you think this is worth doing?
  • Do you think this is actually doable?

Vaguely related posts:

Category: orchestration  security  soar  soc  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Canned Playbooks: Are They Realistic?


  1. Barak says:

    Do you think this is worth doing?

    Yes. It’s worth doing even if it’s just like your two examples, very high-level steps “What are you expecting you SoC to execute once an alert was fired “.

    Do you think this is actually doable?
    High-Level Playbook – Yes, and if you are focusing on high-level steps (Manual steps) try to focus on problems/issues you are trying to solve (Notification, Escalation, Known flow, Documentation) AKA have a standard response process.

    When we talk about having a detailed Playbook it is getting more tricky (but still doable)… From my personal experience to write a detailed Playbook you MUST be a domain expert & a product/s expert, so a “Generic Detailed Playbook” is not really feasible, few bullets I would like to add:
    * Detailed response playbook cannot be agnostic to the tools and data it uses.
    ** Files, Search based on Certificate signer, signing/expiration date, file size, compiled data, created location, was/first executed, download from the web, file hash, file similarity hash, etc.
    ** Process: Process name, Initiating user, Command line, PPID, etc.
    ** User: Department, manager, role, physical location, permission, etc.
    ** Email: Sender, receiver, domain, keyword similarity, content similarity, attachment (Similarity, specific), etc.
    ** Etc.
    * Detailed Playbooks are only part of the “organization response playbook” and we should not mix them together: e.g. User education, Legal reparations, etc.
    * Detailed Playbook should be tailor to the organization needs: An easy example, if the organization does not allow to run an unapproved application (From a known list) it should be taken into consideration

    I think It’s a bit non-realistic to get a Playbook to solve all of “non-targeted / non-APT variety” attacks, we should be aware of the limitation of the playbook, and build a process around them.

    To achieve a detailed playbook, that will provide organizations with the functionality of Investigation (Triage) and Response I would encourage your clients to search for a solution that provides the detailed playbooks for Investigation (Triage) and Response as part of the product offering and not as an add-on to an existing offer, just because most of the addons I know are trying to support as many solutions as possible within a single playbook, and this by itself forces them to build a playbook based on the lowest common denominator.

    Just my two cents on the subject.



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.