Core SA&O Platform Capability: Playbook Management

This article is a part of a series describing the essential criteria of a Security Automation and Orchestration platform.

Introduction

Working from Standard Operating Procedures (SOPs) is an important way to mature your security operations. Building and maintaining the SOPs, however, requires a significant amount of up front investment and collaboration. Since Security Automation and Orchestration (SA&O) platforms are all about driving efficiency and greater team productivity, maintaining your SOPs should benefit from the platform. SOPs form playbooks within an SA&O platform and enable automated and orchestrated workflows.

Ideally, the playbook management component of an SA&O platform should assist with the maintenance of SOPs (playbooks) that the platform and your operations team rely on. This core capability should minimally include: playbook organization, bulk editing of playbooks, and revision control and distribution.

Playbook Organization

The SA&O platform should enable the organizing and grouping of  your playbooks. You should be able to define your grouping based on what works best for your organization. For example, you may choose to organize and group playbooks based on themes, sensitivity, organizational segment, or asset types.

Bulk Edits to Playbooks

While playbooks are like snowflakes, with no two being identical, there are usually portions of a playbook that are repeated across many of your playbooks. A playbook management system should allow for the bulk editing of playbooks for items like:

  • Ingestion Sources
  • Enabling/Disabling automatic execution Enabling/Disabling safe mode operation
  • Enabling/Disabling enhanced logging
  • Setting playbook category grouping

Revision Control and Distribution

Integration with a Version Control System (VCS), such as Git, is a strong recommendation for successful playbook management at scale. At the deployment level, leveraging a VCS enables the systematic distribution of playbooks across multiple systems. This is useful for syncing playbooks between a development system and a productions system, or syncing across multiple production systems spanning multiple sites. At the development level, a VCS is important for tracking revision changes and having the option to roll back changes if necessary. A secondary benefit is to enable a developer to edit playbooks in the editor of their choice and easily synchronize the modified playbooks back into the platform.

Conclusion

Whether you have an established set of SOPs or if you are looking to mature your operations, it is easy to understand how a playbook management component within an SA&O platform helps your team stay organized and drive efficiency. The 2.1 release of the Phantom Platform includes all of the playbook management criteria mentioned in this blog post. Give the Phantom Platform a test drive today and see how the platform’s playbook management functionality is one way it helps you work smarter.

Other articles in this series can be found here.  You can also download the entire Phantom Buyer’s Guide here.

If you’re interested, you can join the Phantom Community to access the free Community Edition.

Chris Simmons
Director, Product Marketing
Phantom