What tools do you use for creating Playbooks / Runbooks?

(X-post from /r/SecurityBlueTeam)

For all the Analysts/Responders/SOC managers/Engineers: what tools do you use to create and manage Playbooks and/or Runbooks?

For the sake of discussion, I am talking about low-level procedural documentation or workflows that shows step-by-step how an analyst should handle a security incident. The terminology seems to vary between vendors and organisations, but essentially what I am referring to is something that looks like either a flow chart or an ordered list of instructions. For reference, here is an example:

IncidentResponse.com Malware Playbook

In both my current and previous role, we have used either Visio or Gliffy (Confluence plug-in) to create flowcharts and saved these wiki-style in Confluence or SharePoint.

My dream feature set would be a tool that allows for fast and easy editing, hyperlinks to URLs, integration with SOAR and Case/Ticket Management. Ideally it would be modular in the sense that it would allow you to link to decision trees / steps in another Playbook. For example, the playbook for responding to a phishing email might have a lot of overlap with a playbook for a user that browsed to a malicious link. I would like to be able to create one subset of rules for checking threat intel and reputation, see who visited the URL, and block if malicious. This might go in a tree called “URL Investigation” that could be referenced by both master playbooks and only updated in one place.

My research has basically left me with two general options:

1) A SOAR/Case mgmt solution like Phantom, Swimlane, Demisto, etc. 2) “Paper-based” like Visio/Gliffy/Omnigraffle-style flowcharts as we are using today.

Is anyone using a different approach? If you are using option 1, what tool do you use and how effective is it? If option 2, have you found a particular tool or setup that works best?

My issue with option 1 is that most of these solutions seem designed around automation, but aren’t generally as good for the non-technical steps like communications, decision-making, Intel gathering, vendor or professional services contact, etc. With cost as a consideration, these tools seem like a bit of overkill when we are still probably 12 months away from implementing any serious automation.

For context, we are a small SOC at a medium company with a high turnover and a healthy security budget. We use Splunk, ELK, TheHive, O365, and ServiceNow for our helpdesk. I’m looking for a way to reorganise our playbooks to make life easier for our lower-level analysts and to keep our processes as consistent as incident response can be. Really curious to know what works for others.

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s