One of the new ideas we had for a 2019 research paper is something clients often (well, often–ish) ask about: what to do if you encounter a particular threat or a type of an incident? A sort of a playbook for confirmation, investigation and response to a particular threat type.
Naturally, most threats in real life would be relatively mundane and – here I will make a faux pas and call “a threat actor” a threat – not of the “OMG I MET A GOTHIC PANDA IN A DARK ALLEY” variety. You know, of the non-targeted / non-APT variety. So the list of the situations is finite and easily enumerable.
Now, admittedly SOAR vendors are doing this, with modicum of success. But even their playbooks suffer from the below problem and few if any are truly usable without changes.
I. Such a project is realistic [but useless] at a high level of abstraction.
II. Such a project is likely unrealistic at a low level of abstraction since most people use different tools.
- Receive an indication of malware
- Confirm indication
- Remove malware.
- <eh? this is a waste of time!>
Now, choice #II
- See an alert in your SIEM (brand A) that says <this>
- Look at the field called <that>
- Use this EDR tool (brand B) that can …
- <loses patience, realizes the futility of this and leaves>
I’ve utilized the above logic as an excuse to not try it. However, organizations that are only starting their security operations, detection and response journeys are asking for it more and more.
- Do you think this is worth doing?
- Do you think this is actually doable?
Vaguely related posts:
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.