GUEST ESSAY: A call for rethinking incidence response playbooks

By Liz Maida

We see it week after week. Insidious cyber threats that spread throughout enterprises like wildfire and proliferate around the globe, interfering with crucial work and holding data hostage. These attacks make the news cycle for a few days, security teams wring their hands over it, and then forget all about it – until the next attack. Lather, rinse, repeat.

When will the security community get smarter about our approach to identifying and thwarting cyber threats, instead of just responding to the one at hand?

Related video: Tempered Networks introduces identity-based networks

The known threat of today — whether it’s malware, social engineering or phishing — inevitably morphs into the zero-day threat of tomorrow. Which means that all the tactical work security teams did to identify and thwart today’s threat must adapt to be useful for the next time. But how can enterprises evolve at the same pace as cybercriminals when they’re relying on static, standard practices such as incident response playbooks?

Reactive limitations

It’s time to face an ugly truth about playbooks: Their reactive nature is leaving organizations vulnerable. And in some cases, they’re holding back security teams from developing more important critical thinking skills. In fact, hackers know all about playbooks and many times use them as a distraction to keep a security team busy while the real attack is going on undetected.

To illustrate my point, let’s look at the recent WannaCry ransomware attack. It had enough power to shut down critical systems like the UK’s National Health Service and a large telecom in Spain. At the time of the WannaCry outbreak, there were no incident response playbooks specific to the technical characteristic of the attack to guide security teams.

That’s because, while the hackers used a known vulnerability in Microsoft operating systems, the threat itself was unknown until it was too late. That’s the biggest flaw with playbooks – they can only offer guidance for known threats.

Evolving attacks

Ultimately, a security analyst created a “kill switch” after reverse-engineering samples of the WannaCry malware code. Would he have been able to come up with this solution if he had been tied up with checklists from a playbook? Probably not.

Maida

Knowing this, has anything changed in our approach to stopping these threats? Sadly, no. Instead, security vendors have issued “WannaCry playbooks” that come with a list of tasks for a security team to follow for the next attack. But how useful will these playbooks be? Even the cybersecurity researcher who stopped the attack warned that the threat wasn’t over. Just like with every other threat, hackers will evolve the code into something even more damaging.

Enterprises must come to grips with the fact that relying on traditional, static playbooks for incident response is not sustainable. While your business may survive an individual attack today, the failure to keep pace with the threats of tomorrow will ultimately put you at risk.

The next generation of response must ditch the static playbook as we know it. Incident response requires a deeper understanding of the data involved in each attack, instead of a set list of tasks that may be outdated by the time the next attack hits. And automating or orchestrating the playbook isn’t enough – orchestration still requires security teams to do most of the heavy lifting and as a result, get bogged down in tactics. More process isn’t the answer.

Harnessing machine learning

With the development of artificial intelligence (AI) and machine learning, technology has the power to be more predictive, and do more of the work. Additionally, as more and evolving data is needed to inform incident response, advanced analytics provide the opportunity to better harness this data and adapt more effectively to threats. Instead of continuing to tread water by automating workflows or updating processes after an attack, smart organizations will ditch playbooks and turn to data science for a more proactive, sophisticated approach.

About the essayist: Liz Maida is the founder, CEO and CTO of Uplevel Security, provider of the industry’s first adaptive system of intelligence that uses graph theory and machine learning to modernize security operations. Formerly an executive at Akamai Technologies, Maida holds a Bachelor of Science in Engineering degree from Princeton University and dual Masters degrees in Computer Science and Engineering Systems from the Massachusetts Institute of Technology. Her graduate school research examined the application of graph theory to network interconnection.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone