The value of cybersecurity playbooks

Have you ever taken a trip to  a place you've never visited before? 
 You may have used a travel itinerary  to plan your trip activities. 
 Travel itineraries are essential documents to have,  especially for travel to a new place. 
 They help keep you organized and give  you a clear picture of your travel plans. 
 They detail the activities you'll do,  the places you'll visit,  and your travel time between destinations. 
 
 
 
 
 
 
 
 
 
 Playbooks are similar to travel itineraries. 
 As you may remember from our previous discussions,  a playbook is a manual that provides  details about any operational action. 
 They provide security analysts with instructions  on exactly what to do when an incident occurs. 
 
 
 
 
 
 
 
 
 
 Playbooks provide security professionals  with a clear picture of  their tasks during  the entire incident response life cycle. 
 Responding to an incident can be  unpredictable and chaotic at times. 
 Security teams are expected to  act quickly and effectively. 
 Playbooks offer structure and  order during this time by clearly  outlining the actions to take  when responding to a specific incident. 
 By following a playbook,  security teams can reduce any guesswork  and uncertainty during response times. 
 This allows security teams to act  quickly and without any hesitation. 
 Without playbooks, an effective and swift response  to an incident is nearly impossible. 
 
 
 
 
 
 
 
 
 
 Within playbooks, there may be checklists  that can also help security teams perform  effectively during stressful times by helping them  remember to complete each step in  the incident response life cycle. 
 
 
 
 
 
 
 
 
 
 Playbooks outline the steps that are necessary  in response to an attack like ransomware,  data breach, malware, or DDoS. 
 Here's an example of a playbook that  uses a flowchart diagram  with the steps to take during  the detection of a DDoS attack. 
 This depicts the process for detecting a DDoS  and begins with determining the indicators of compromise, 
 like unknown incoming traffic.  Once the indicators of compromise are determined,  the next step is to collect  the logs and finally analyze the evidence. 
 
 
 
 
 
 
 
 
 
 There are three different types of playbooks: 
 non-automated, automated, or semi-automated. 
 The DDoS playbook we just explored is  an example of a non-automated playbook, 
 which requires step-by-step actions  performed by an analyst. 
 
 
 
 
 
 
 
 
 
 Automated playbooks automate tasks  in incident response processes. For example,  tasks such as categorizing the severity of 
 the incident or gathering evidence  can be done using an automated playbook. 
 Automated playbooks can help lower  the time to resolution during an incident. 
 SOAR and SIEM tools can be  configured to automate playbooks. 
 
 
 
 
 
 
 
 
 
 Finally, semi-automated playbooks  combine a person's action with automation. 
 Tedious, error-prone, or  time-consuming tasks can be automated,  while analysts can prioritize 
 their time with other tasks. 
 Semi-automated playbooks can help  increase productivity and decrease time to resolution. 
 
 
 
 
 
 
 
 
 
 As a security team responds to incidents,  they may discover that a playbook  needs updates or changes. 
 Threats are constantly evolving  and for playbooks to be effective,  they must be maintained and updated regularly. 
 
 
 
 
 
 
 
 A great time to introduce changes to playbooks  is during the post-incident activity phase. 
 We'll be exploring more about this phase in  an upcoming section. Meet you there.