2020-07-27T06:31:00Z

What is an incident response playbook and how is it used in SOAR?


Can you explain what an incident response playbook is and the role it plays in SOAR? How do you build an incident response playbook? Do SOAR solutions come with a pre-defined playbook as a starting point?

Guest
11 Answer

author avatar
Top 5LeaderboardReal User

Hi,


what an incident response playbook? 


Incident Response Playbook is the guide lines and group of processes, policies, plans, and procedures, along with appropriate oversight of response activities, that  the organization should take to make a proactive response, quick containment, effective remediation and action plan with "what if" scenario in case of certain cyber incident has taken place.




How do you build an incident response playbook?


Regarding to NIST, to build an Incident Response Playbook you need to design the process which contains 4 main phases:


1- Prepare.


2- Detect and Analyze.


3- Contain, Eradicate and Recover.


4- Post-Incident Handling.


*reference, NIST Computer Security Incident Handling Guide:


https://nvlpubs.nist.gov/nistp...


*reference, SANS Incident Handler's Handbook:


https://www.sans.org/reading-r...





Do SOAR solutions come with a pre-defined playbook as a starting point?


- Sure, most of SOAR solutions today comes with predefined templates. However, it's a double-bladed weapon based on Cyber Security Awareness and maturity level of the organization. If it's implemented with no or low maturity level, it may harm the organization production and utilize the resources improperly.



 

2021-03-15T10:04:30Z
Find out what your peers are saying about Critical Start, Splunk, Palo Alto Networks and others in Security Orchestration Automation and Response (SOAR). Updated: May 2021.
502,275 professionals have used our research since 2012.