WEBVTT 1 00:00:00.000 --> 00:00:01.320 In this lesson, 2 00:00:01.320 --> 00:00:04.350 we will learn about security orchestration, 3 00:00:04.350 --> 00:00:08.400 automation and response, or SOAR, platforms. 4 00:00:08.400 --> 00:00:12.930 SOAR platforms include a suite of tools and processes 5 00:00:12.930 --> 00:00:16.560 that streamline and automate security operations, 6 00:00:16.560 --> 00:00:20.700 enabling organizations to detect, respond to, 7 00:00:20.700 --> 00:00:23.550 and mitigate threats more efficiently. 8 00:00:23.550 --> 00:00:26.520 SOAR platform implementation concepts 9 00:00:26.520 --> 00:00:28.890 include playbooks and runbooks, 10 00:00:28.890 --> 00:00:31.980 where playbooks are predefined workflows 11 00:00:31.980 --> 00:00:35.340 typically outlined in incident response plans 12 00:00:35.340 --> 00:00:37.860 that detail the steps to be taken 13 00:00:37.860 --> 00:00:42.120 in response to specific types of security events. 14 00:00:42.120 --> 00:00:46.560 Runbooks execute playbook workflows step by step, 15 00:00:46.560 --> 00:00:51.150 incorporating automation to efficiently carry out tasks. 16 00:00:51.150 --> 00:00:54.660 Let's learn more about playbooks and runbooks. 17 00:00:54.660 --> 00:00:56.790 First, we have playbooks. 18 00:00:56.790 --> 00:01:01.680 Incident response playbooks outline specific actions to take 19 00:01:01.680 --> 00:01:05.550 in response to different types of security incidents. 20 00:01:05.550 --> 00:01:07.950 A playbook acts as a checklist, 21 00:01:07.950 --> 00:01:11.790 guiding teams through detection and response processes 22 00:01:11.790 --> 00:01:13.680 for each incident type. 23 00:01:13.680 --> 00:01:16.620 By preparing these playbooks in advance 24 00:01:16.620 --> 00:01:19.980 as part of incident response documentation, 25 00:01:19.980 --> 00:01:22.620 organizations ensure their teams 26 00:01:22.620 --> 00:01:27.240 have a clear documented approach ready for emergencies, 27 00:01:27.240 --> 00:01:31.380 streamlining their response efforts when incidents occur. 28 00:01:31.380 --> 00:01:35.250 Most organizations create incident response plans 29 00:01:35.250 --> 00:01:37.350 for major types of incidents. 30 00:01:37.350 --> 00:01:41.190 Then, when an analyst identifies something suspicious, 31 00:01:41.190 --> 00:01:43.800 they can categorize it as an incident 32 00:01:43.800 --> 00:01:46.380 and assign it to an incident handler. 33 00:01:46.380 --> 00:01:50.250 The incident handler then follows the appropriate playbook 34 00:01:50.250 --> 00:01:54.510 using standardized procedures to guide their response. 35 00:01:54.510 --> 00:01:57.120 For instance, incidents such as 36 00:01:57.120 --> 00:01:59.700 distributed denial of service attacks, 37 00:01:59.700 --> 00:02:03.690 malware infections, phishing, or data exfiltration 38 00:02:03.690 --> 00:02:06.360 may each have dedicated playbooks 39 00:02:06.360 --> 00:02:10.320 with detailed response steps to mitigate these threats. 40 00:02:10.320 --> 00:02:11.460 In this way, 41 00:02:11.460 --> 00:02:14.910 playbooks serve as incident operating procedures, 42 00:02:14.910 --> 00:02:17.940 providing analysts and incident handlers 43 00:02:17.940 --> 00:02:21.030 with clear instructions for each scenario. 44 00:02:21.030 --> 00:02:24.840 If your organization lacks incident response playbooks, 45 00:02:24.840 --> 00:02:27.390 pre-made examples are available. 46 00:02:27.390 --> 00:02:30.690 Created by the Incident Response Consortium, 47 00:02:30.690 --> 00:02:32.760 these playbooks offer templates 48 00:02:32.760 --> 00:02:35.820 you can tailor to meet specific needs. 49 00:02:35.820 --> 00:02:39.990 For example, the phishing playbook is a 10-page guide 50 00:02:39.990 --> 00:02:41.340 based on the NIST, 51 00:02:41.340 --> 00:02:44.790 or National Institute of Standards and Technologies, 52 00:02:44.790 --> 00:02:47.010 incident response process, 53 00:02:47.010 --> 00:02:50.490 with detailed steps for automating responses, 54 00:02:50.490 --> 00:02:52.740 detecting and analyzing threats, 55 00:02:52.740 --> 00:02:57.270 and containing, eradicating, and recovering from attacks. 56 00:02:57.270 --> 00:03:01.650 This playbook includes flowcharts for each response phase, 57 00:03:01.650 --> 00:03:05.850 from preparation and detection to post-incident review. 58 00:03:05.850 --> 00:03:08.580 For instance, in the prepare phase, 59 00:03:08.580 --> 00:03:09.570 there is guidance 60 00:03:09.570 --> 00:03:13.830 on forming the core operations team, reviewing timelines, 61 00:03:13.830 --> 00:03:17.070 and conducting incident response interviews. 62 00:03:17.070 --> 00:03:18.720 In the detect phase, 63 00:03:18.720 --> 00:03:22.380 flowcharts outline ways to categorize incidents. 64 00:03:22.380 --> 00:03:24.600 While in the analyze phase, 65 00:03:24.600 --> 00:03:29.370 the playbook helps define risk factors for effective triage, 66 00:03:29.370 --> 00:03:33.780 so each phase is designed to provide actionable steps 67 00:03:33.780 --> 00:03:36.690 for handling phishing incidents efficiently. 68 00:03:36.690 --> 00:03:39.270 These playbooks are generic templates 69 00:03:39.270 --> 00:03:41.250 that serve as a foundation 70 00:03:41.250 --> 00:03:46.110 for creating customized guides within an organization. 71 00:03:46.110 --> 00:03:49.650 They provide analysts with the guidance they need 72 00:03:49.650 --> 00:03:51.450 to act efficiently, 73 00:03:51.450 --> 00:03:55.980 using flowcharts to clarify each response action. 74 00:03:55.980 --> 00:03:59.940 Additionally, Microsoft provides technical playbooks 75 00:03:59.940 --> 00:04:02.720 at learn.microsoft.com 76 00:04:02.720 --> 00:04:07.720 /e-us/security/operations/incident-response-playbooks. 77 00:04:13.500 --> 00:04:17.490 These include response actions for specific threats 78 00:04:17.490 --> 00:04:20.310 such as phishing, password attacks, 79 00:04:20.310 --> 00:04:22.950 or malicious applications. 80 00:04:22.950 --> 00:04:26.430 Next, for efficiency and consistency, 81 00:04:26.430 --> 00:04:31.080 response actions can be automated using tools like a SOAR, 82 00:04:31.080 --> 00:04:32.970 or security orchestration, 83 00:04:32.970 --> 00:04:35.730 automation and response platform. 84 00:04:35.730 --> 00:04:39.150 SOAR platforms streamline incident response 85 00:04:39.150 --> 00:04:43.050 by orchestrating playbooks and integrating data 86 00:04:43.050 --> 00:04:47.700 from security information and event, or SIEM, platforms. 87 00:04:47.700 --> 00:04:51.090 This aids analysts with actionable insights, 88 00:04:51.090 --> 00:04:53.820 allowing them to respond appropriately 89 00:04:53.820 --> 00:04:57.990 to indicators of compromise or indicators of attack. 90 00:04:57.990 --> 00:05:00.750 Additionally, modern SOAR platforms 91 00:05:00.750 --> 00:05:04.320 leverage machine learning and artificial intelligence 92 00:05:04.320 --> 00:05:08.730 to enhance decision-making and response accuracy. 93 00:05:08.730 --> 00:05:13.730 By analyzing patterns across vast amounts of security data, 94 00:05:13.980 --> 00:05:17.790 machine learning algorithms within SOAR platforms 95 00:05:17.790 --> 00:05:20.340 can identify emerging threats 96 00:05:20.340 --> 00:05:23.010 and learn from previous incidents, 97 00:05:23.010 --> 00:05:26.220 allowing the system to refine its responses 98 00:05:26.220 --> 00:05:28.890 independently over time. 99 00:05:28.890 --> 00:05:32.820 AI-driven insights also help SOAR systems 100 00:05:32.820 --> 00:05:35.790 dynamically adapt to new threats, 101 00:05:35.790 --> 00:05:39.660 improving their ability to detect, prioritize, 102 00:05:39.660 --> 00:05:42.780 and respond to incidents effectively. 103 00:05:42.780 --> 00:05:45.180 These intelligent capabilities 104 00:05:45.180 --> 00:05:48.090 reduce the need for manual intervention, 105 00:05:48.090 --> 00:05:52.020 enabling automated playbooks that respond faster 106 00:05:52.020 --> 00:05:54.870 and make context-aware decisions. 107 00:05:54.870 --> 00:05:59.010 By combining playbook automation, data enrichment, 108 00:05:59.010 --> 00:06:01.140 and AI-driven insights, 109 00:06:01.140 --> 00:06:04.440 SOAR systems empower security teams 110 00:06:04.440 --> 00:06:07.140 to respond swiftly and accurately 111 00:06:07.140 --> 00:06:10.260 even in complex threat landscapes. 112 00:06:10.260 --> 00:06:12.570 Second, we have runbooks. 113 00:06:12.570 --> 00:06:13.590 During an incident, 114 00:06:13.590 --> 00:06:17.460 a playbook may drive the provisioning of new resources, 115 00:06:17.460 --> 00:06:20.820 creating accounts, disabling old accounts, 116 00:06:20.820 --> 00:06:22.980 launching new virtual machines, 117 00:06:22.980 --> 00:06:26.280 or fully re-imaging a client device. 118 00:06:26.280 --> 00:06:29.160 For example, you might have a playbook 119 00:06:29.160 --> 00:06:31.440 for a successful phishing campaign 120 00:06:31.440 --> 00:06:33.900 that outlines a series of steps 121 00:06:33.900 --> 00:06:37.350 that are taken anytime someone clicks on a link 122 00:06:37.350 --> 00:06:39.030 in a phishing email. 123 00:06:39.030 --> 00:06:41.070 These steps could include 124 00:06:41.070 --> 00:06:44.010 deleting the email from the user's inbox, 125 00:06:44.010 --> 00:06:47.010 checking if other users received the email, 126 00:06:47.010 --> 00:06:50.040 isolating workstations that opened that email, 127 00:06:50.040 --> 00:06:52.890 running virus scans on those machines, 128 00:06:52.890 --> 00:06:56.760 performing a registry scan to confirm infection, 129 00:06:56.760 --> 00:06:58.680 backing up user data, 130 00:06:58.680 --> 00:07:01.050 then re-imaging the workstation 131 00:07:01.050 --> 00:07:03.390 and restoring the user's data, 132 00:07:03.390 --> 00:07:07.620 and finally reconnecting the workstation to the network. 133 00:07:07.620 --> 00:07:11.760 Doing all of that manually would be time-consuming 134 00:07:11.760 --> 00:07:14.040 while still being time-critical, 135 00:07:14.040 --> 00:07:16.950 making the process prone to errors. 136 00:07:16.950 --> 00:07:20.550 But by automating it with a SOAR platform, 137 00:07:20.550 --> 00:07:22.830 we can create a runbook, 138 00:07:22.830 --> 00:07:26.460 where a runbook is the automation of a playbook 139 00:07:26.460 --> 00:07:28.740 that can partially or fully handle 140 00:07:28.740 --> 00:07:30.750 the incident response process 141 00:07:30.750 --> 00:07:34.500 with periodic checkpoints for human intervention. 142 00:07:34.500 --> 00:07:37.170 In the previous phishing response example, 143 00:07:37.170 --> 00:07:41.310 a runbook could perform the first six steps automatically 144 00:07:41.310 --> 00:07:43.470 then pause to allow the analyst 145 00:07:43.470 --> 00:07:47.070 to confirm whether the workstation should be re-imaged 146 00:07:47.070 --> 00:07:48.600 in the seventh step. 147 00:07:48.600 --> 00:07:51.210 Once the analyst confirms the action, 148 00:07:51.210 --> 00:07:53.010 the runbook can resume, 149 00:07:53.010 --> 00:07:55.410 completing the remaining steps. 150 00:07:55.410 --> 00:07:58.680 Using runbooks increases efficiency 151 00:07:58.680 --> 00:08:02.820 and allows a single analyst to handle much more work 152 00:08:02.820 --> 00:08:07.020 than they could if they were managing everything manually. 153 00:08:07.020 --> 00:08:10.320 This level of automation frees analysts 154 00:08:10.320 --> 00:08:13.350 to focus on more complex tasks 155 00:08:13.350 --> 00:08:17.160 rather than spending time on routine processes 156 00:08:17.160 --> 00:08:18.900 that can be automated. 157 00:08:18.900 --> 00:08:22.380 So, what types of playbooks and runbooks 158 00:08:22.380 --> 00:08:24.840 should your organization implement? 159 00:08:24.840 --> 00:08:27.420 Well, most organizations encounter 160 00:08:27.420 --> 00:08:29.700 at least three common threats 161 00:08:29.700 --> 00:08:33.120 that can benefit from proceduralized responses 162 00:08:33.120 --> 00:08:35.490 in runbooks and playbooks. 163 00:08:35.490 --> 00:08:39.390 Those are ransomware, data exfiltration, 164 00:08:39.390 --> 00:08:41.850 and social engineering attacks. 165 00:08:41.850 --> 00:08:44.160 First, let's discuss ransomware. 166 00:08:44.160 --> 00:08:47.820 A ransomware playbook should outline the personnel, 167 00:08:47.820 --> 00:08:49.980 processes and tools 168 00:08:49.980 --> 00:08:53.070 to employ during a ransomware attack. 169 00:08:53.070 --> 00:08:54.750 It should include steps 170 00:08:54.750 --> 00:08:58.140 for determining which systems are impacted, 171 00:08:58.140 --> 00:09:00.870 understanding the method of infection, 172 00:09:00.870 --> 00:09:03.060 isolating affected systems, 173 00:09:03.060 --> 00:09:06.840 and identifying the stakeholders for different scenarios 174 00:09:06.840 --> 00:09:09.990 based on the data being held for ransom. 175 00:09:09.990 --> 00:09:13.020 A key priority in ransomware playbooks 176 00:09:13.020 --> 00:09:17.430 is to isolate and disconnect networks and systems quickly 177 00:09:17.430 --> 00:09:21.480 to prevent the spread of ransomware across the network. 178 00:09:21.480 --> 00:09:24.810 However, systems should remain powered on 179 00:09:24.810 --> 00:09:28.740 to retain encryption keys in random access memory, 180 00:09:28.740 --> 00:09:30.510 which forensic technicians 181 00:09:30.510 --> 00:09:33.600 may need to access during analysis. 182 00:09:33.600 --> 00:09:36.090 Second, data exfiltration. 183 00:09:36.090 --> 00:09:40.590 Data exfiltration playbooks guide the steps necessary 184 00:09:40.590 --> 00:09:44.820 to stop or mitigate a data exfiltration attack. 185 00:09:44.820 --> 00:09:48.930 These playbooks should include notification requirements, 186 00:09:48.930 --> 00:09:52.410 system analysis and forensic analysis 187 00:09:52.410 --> 00:09:56.430 to determine what data was accessed and exfiltrated. 188 00:09:56.430 --> 00:10:00.990 Forensic analysis often reveals which data was viewed 189 00:10:00.990 --> 00:10:03.810 or exfiltrated out of the network. 190 00:10:03.810 --> 00:10:07.680 Data exfiltration can occur through various methods 191 00:10:07.680 --> 00:10:11.250 such as SQL injection, password compromise, 192 00:10:11.250 --> 00:10:14.070 and lateral movement across the network 193 00:10:14.070 --> 00:10:18.630 to access and remove data in sensitive data stores. 194 00:10:18.630 --> 00:10:21.600 So data exfiltration playbooks 195 00:10:21.600 --> 00:10:24.870 should emphasize protecting key data stores 196 00:10:24.870 --> 00:10:26.370 and then identifying 197 00:10:26.370 --> 00:10:31.020 any other potential points of compromise within the network. 198 00:10:31.020 --> 00:10:33.690 Third is social engineering. 199 00:10:33.690 --> 00:10:37.350 Social engineering, typically in the form of phishing, 200 00:10:37.350 --> 00:10:39.930 requires a specific playbook. 201 00:10:39.930 --> 00:10:42.270 This playbook should outline steps 202 00:10:42.270 --> 00:10:44.910 for identifying phishing emails, 203 00:10:44.910 --> 00:10:48.870 determining which users interacted with those emails, 204 00:10:48.870 --> 00:10:52.200 and assessing the extent of the exploitation. 205 00:10:52.200 --> 00:10:57.150 This playbook may also recommend notifying the user base 206 00:10:57.150 --> 00:11:00.330 to be cautious of suspicious emails. 207 00:11:00.330 --> 00:11:03.000 The playbook should further include steps 208 00:11:03.000 --> 00:11:07.110 to identify all users who received, opened, 209 00:11:07.110 --> 00:11:09.000 or clicked on the email, 210 00:11:09.000 --> 00:11:13.410 then reset their passwords and re-image their workstations. 211 00:11:13.410 --> 00:11:16.530 Additionally, analysts should open the email 212 00:11:16.530 --> 00:11:18.480 in a sandboxed environment 213 00:11:18.480 --> 00:11:21.540 to perform dynamic analysis on it, 214 00:11:21.540 --> 00:11:25.350 identifying any IP addresses, URLs, 215 00:11:25.350 --> 00:11:27.690 or other indicators of compromise 216 00:11:27.690 --> 00:11:31.620 to detect similar threats in other locations of the network 217 00:11:31.620 --> 00:11:33.510 and for future events. 218 00:11:33.510 --> 00:11:37.110 So, remember, security orchestration, 219 00:11:37.110 --> 00:11:41.160 automation and response, or SOAR, platforms 220 00:11:41.160 --> 00:11:44.250 offer a range of tools and processes 221 00:11:44.250 --> 00:11:48.300 that help streamline and automate security operations, 222 00:11:48.300 --> 00:11:52.200 allowing organizations to detect, respond to, 223 00:11:52.200 --> 00:11:55.260 and mitigate threats more efficiently. 224 00:11:55.260 --> 00:11:58.050 Playbooks and runbooks are key elements 225 00:11:58.050 --> 00:12:00.540 in SOAR implementation. 226 00:12:00.540 --> 00:12:03.030 Playbooks are predefined workflows 227 00:12:03.030 --> 00:12:05.820 that outline step-by-step actions 228 00:12:05.820 --> 00:12:09.330 for responding to specific security incidents, 229 00:12:09.330 --> 00:12:13.440 forming a clear guide for incident response teams. 230 00:12:13.440 --> 00:12:16.170 Runbooks take this a step further 231 00:12:16.170 --> 00:12:18.510 by automating these workflows, 232 00:12:18.510 --> 00:12:21.030 usually with a SOAR platform, 233 00:12:21.030 --> 00:12:23.820 executing tasks automatically 234 00:12:23.820 --> 00:12:27.270 with periodic pauses for analyst input. 235 00:12:27.270 --> 00:12:30.720 This automation allows security teams 236 00:12:30.720 --> 00:12:33.660 to respond faster and more accurately, 237 00:12:33.660 --> 00:12:37.020 especially in complex threat landscapes, 238 00:12:37.020 --> 00:12:42.020 while freeing analysts to focus on higher-level tasks.