• United States




5 security automation playbooks that pack a powerful punch

Oct 18, 20174 mins
Artificial IntelligenceData and Information SecurityMachine Learning

Can these five simple "utility playbooks" for security automation provide as much value as their larger, more complex counterparts?

football turf

I was in Washington DC a few weeks ago for a Security Automation & Orchestration User Conference. (Disclosure: It was Phantom’s conference, and I am an employee.)

More than 100 guests attended the event, sharing automation playbooks, apps to connect security products to Security Automation & Orchestration platforms, and advice based on their experience as users. They shared interesting use cases with sophisticated automations involving decision-making logic, human prompts, and playbooks that executed actions to investigate events and even remediate them. It’s always inspiring to see how users are testing the limits of a new technology and using it in ways that you may not have considered yourself.

While Security Automation & Orchestration platforms are certainly equipped to handle complex use cases, it’s not the only way to automate. Simple tasks often thought of as daily annoyances are also perfect for automation; “utility playbooks” as one user coined them. These small playbooks pack a powerful punch.

The user conference offered a great opportunity to explore utility playbooks concepts, so we ran an informal survey with the group. I thought it would be interesting to share a few examples.

1. Event triage

Event triage was the most popular concept discussed. Manually triaging events (e.g. quickly checking the deposition of a file, or an IP address and hostname) is a simple, yet time consuming process, and automation can help reduce the time spent gathering this data. Users think this example is useful and it’s also one that around three quarters of them have put into practice.

2. Creating and updating work tickets

Another popular candidate for utility playbooks is creating and updating work tickets. Some claim the interfaces of many case management tools aren’t very “user friendly,” plus the cutting/pasting of information between screens reduces their efficiency. Using automation to manage ticket tracking enables cases to be updated more frequently and easily, ultimately resulting in better audibility and metrics to share with the security team and executives. This example also scored well in usefulness, though only about two-thirds of the users claimed to be doing it.

3. Threat Intelligence recursive investigations

This was a third concept discussed. Analysts often spend valuable time reviewing historical data to determine if they have a been affected by a published IOC (Indicator of Compromise), with the task typically resulting in no findings. It was still considered useful by the group, though less than half of them claimed to actually be doing it.

4. Checking antivirus alerts and validating false positives

The fourth utility playbook concept discussed involves checking antivirus alerts and validating false positives. Analysts think this is boring, repetitive work, but understand that it is necessary to ensure other malware components haven’t been installed. The task often results in negative findings or scanning a system with additional tools. This example ranked in the “middle of the pack” in terms of usefulness with about one third of the users practicing it.

5. Vulnerability reporting and alerting

Of the five concepts presented, this onefinished at the bottom of the list in terms of usefulness, though it did score slightly higher than checking antivirus alerts and validating false positives when gauging who is actually doing it. Reviewing vulnerability reports (e.g. history of the system in question) and identifying the system/business owner is an tiring task. Automating this task reduces repetitive work and allows the security team to focus on more pressing issues.

The use cases that can be addressed with Security Automation & Orchestration are nearly limitless, and users are reporting improvements in efficiency and consistency. Though many of the early use cases are focused on incident response, an extensible Security Automation & Orchestration platform can easily support other domains including vulnerability management, user management, penetration testing, intelligence sharing, and more.

While many processes we seek to automate are complex and require sophisticated playbooks, simple utility playbooks like the examples above can also make meaningful impact and drive greater SOC efficiency.

I always learn something interesting when tapping the collective insight of a group of practitioners. Our survey was informal. If you’re interested in a more formal research project, check out this survey by the Security Advisor Alliance and Optiv.

They are polling CISOs and Information Security leaders on the topic of Security Automation & Orchestration and plan to share the results when finished. The survey should take less than five minutes and is anonymous.


CP Morey is Vice President, Marketing & Products at Phantom, the leader in security automation and orchestration. He has a track record building teams and launching new products in fast growth markets. Prior to Phantom, CP was Senior Director of Product Marketing for Cisco’s industry leading security portfolio – a role he assumed after the $2.7 billion acquisition of Sourcefire. While at Cisco, he successfully restructured the team and doubled its size to support the fastest growing business in the company.

Before joining Cisco, CP was Vice President of Product Marketing at Sourcefire where he helped with its transformation into a multiproduct company with the launch of FireAMP, a product with exponential revenue growth since its release in 2012, that now thrives as Cisco’s Advanced Malware Protection (AMP) business.

A veteran of the security industry since 2001, CP has also held leadership positions in product marketing and product management at ISS and PentaSafe while helping to scale the companies for successful acquisitions by IBM and NetIQ, respectively.

The opinions expressed in this blog are those of CP Morey and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.