Introducing Cisco XDR Playbooks: Finding the balance in automating and guiding incident response
Security Operations is the beating heart of any organization, a united team vigilantly standing guard against cyber threats. To outsmart their adversaries, they must delve deep into the intricate world of technology and human behavior. As they navigate these complex landscapes, they must also transition from relying on tribal knowledge and ad-hoc maneuvers to a mature, high-performing operation. The key? Embracing consistency and cultivating effective procedures.
With this in mind, enter the world of Cisco XDR. At its inception, it introduced a static default playbook with 19 tasks. However, let’s face it, “I want to do all the tasks” is a phrase no analyst has ever uttered with enthusiasm. That’s why we automated tasks, putting complex integrations in the background and bringing security operation tasks to the forefront, all with the power of automation.
Now, we’re excited to introduce you to the next level: Cisco XDR Playbooks. They’re not just task builders, they’re a blend of procedure documentation and automation. Let’s dive into the details of these exciting, innovative Playbooks.
What are Playbooks in Cisco XDR?
In Cisco XDR, “Playbooks” are the strategic guides for robust incident response, designed to streamline the identify, contain, and eradicate processes for cyber threats. They also pave the way for a swift recovery, restoring systems to full functionality post-attack. These Playbooks are structured as a series of “Phases,” each housing a set of “Tasks” that provide clear direction for security analysts and incident responders. These phases are thoughtfully aligned with the SANS Institute’s PICERL methodology, ensuring a comprehensive response strategy. Additionally, to enhance efficiency, each task within a Playbook can be coupled with an Automation Workflow. The combination of Playbooks and workflows , but also accelerates the response by automating various steps in the process allowing for autonomous security operations to start with Artificial Intelligence or expedited task execution with greater consistency and effectiveness.
New Workflow template: Incident Response
When you create a new Automation Workflow in Cisco XDR, you can now choose a specific type or “Intent”. As part of the new Playbook feature, we have launched a new Intent called “Incident Response” workflow. These Workflows can be used for Playbook Tasks and Incident Automation Rules. They reference the Incident properties in the same manner, which may seem like a boring feature until you realize this makes them reusable, shareable, and efficient.
The Playbook Editor
When you open the Editor for the first time, only the Cisco Managed Incident Playbook is displayed and is designated as the “Default” Playbook. This default Playbook is assigned to all new Incidents until a new default playbook is designated, or “Assignment Rules” are created that assign a different playbook to new Incidents (more on that later). This playbook is also marked as “Read-only”, which means you cannot modify or delete it, as this is a playbook that is Cisco Managed. However, you can duplicate it to use as a template to create altered versions of this playbook. Obviously, you can also create a brand-new playbook from scratch.
To summarize: with the Playbook Editor, you can view the playbook details, create a new playbook, edit a playbook, duplicate a playbook and customize it, specify which playbook is used by default, and delete a playbook (except, of course, for the Cisco Managed Incident Playbook which cannot be deleted).
The Playbook Assignment Rules
Now let’s dive into the previously mentioned “Assignment Rules”: this feature allows you to create special rules to assign playbooks to new Incidents. When an Incident is created that matches the conditions of an assignment rule associated to a playbook, that playbook is displayed on the Response page in Incidents. For example, if an Incident contains certain MITRE tactics, and a rule contains these as conditions, the associated playbook would be assigned to that Incident. You could, for example, have a Ransomware Recovery Playbook, and an Assignment Rule that uses MITRE Technique T1486 (Data Encrypted for Impact) and Tactic TA112 (Impact) as conditions to assign that Playbook to those Incidents.
If the Incident does not match any rules assigned to playbooks, the default playbook is assigned to the Incident. Once a playbook is assigned to an Incident, the assignment Incident cannot be changed, even if the playbook is edited. A copy of the playbook as it was when assigned to the Incident is stored for auditing purposes. The assignment rules work in a top-down priority order, and they stop processing on the first match.
In this blog post, we have discussed the evolution and significance of Cisco XDR in standardizing the incident response process, enhancing effectiveness, and for consistent incident response. Cisco XDR’s new Playbooks are customizable, strategic guides for robust Incident response, designed to increase the maturity of any security operations team.
It is important to note that this is just the start of our Playbook journey. There is much more in development right now, which we will cover in subsequent blog posts. How will Cisco AI Assistant for Security use these Playbooks? Stay tuned… We aren’t just your dad’s networking company, we are Cisco – building the bridge to innovation.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: