Page 31 - SDR_V15_No1 2022_V5
P. 31
Cyber Security
game and is briefed on their role in keeping the or- How does a playbook differ from a runbook?
ganisation secure. Increasingly, the concept of running what is known
as a “runbook” alongside playbooks has taken off.
How do you create a security playbook? However, adding this terminology has resulted in
A security playbook is typically built upon or informed confusion, with many people using the terms inter-
by existing documentation. These can include: changeably. There are subtle differences between the
purpose of playbooks and runbooks. The main differ-
• Security policies. Like acceptable employee ence is that playbooks leverage your existing policies
use and device policies; and processes (as implemented within your organisa-
tion) to detail what must happen to maintain normal
• Security lifecycles: such as data, application operations. This is often in response to disruptions,
or identity lifecycles;
but your playbooks can also describe the actions
• Response plans: such as incident response necessary to maintain normal operations under ordi-
and business continuity plans; and nary circumstances. The goal of a playbook is to en-
sure that every function within your organisation is on
• We review a lot of the documentation that the “same page” about its roles and responsibilities.
should inform your security playbook in our
remote-first security playbook. Runbooks, alternatively, provide a more tactical
“how-to” view on how to execute a specific task car-
What goes into a security playbook?
The security playbook should be a distillation of the ried out by an IT or security practitioner. This could,
policies and processes that exist within your security for example, be on how to conduct a log review or
documentation. There’s no specific format that this how to ensure data within a designated data store is
must take. You can even break different portions of appropriately encrypted. Runbooks might detail how
your documentation into separate playbooks - for a specific task within a playbook is carried out, or
example, creating an incident response playbook can exist independently of any playbook to provide IT
that consists of multiple “smaller” playbooks, like and security with details on how to do their jobs. As
a ransomware response playbook that are used in security automation tools have become more pow-
parallel with a disaster recovery playbook. The most erful, runbooks have become increasingly important.
important thing, however, is that your playbook (or Through tools like a SOAR (Security Orchestration
playbooks) be digestible and widely available within Automation and Response), you can run tasks from
your organisation so that people can access it when multiple runbooks in parallel without expending an
they need to. Additionally, it is essential to set aside unreasonable amount of time from dozens of em-
time for key players within any playbook to review it ployees. Ultimately, both playbooks and runbooks
through training or tabletop exercises. are critical parts of your security program.
By Michael Osakwe
*This article was originally published as a blog on the
Nightfall AI website and is republished with the cy-
ber-security company’s permission.
SERVICE DELIVERY REVIEW | Volume 15 • No. 1 of 2022 31
