Imagine a busy security analyst working for a managed service provider (MSP) or managed security service provider (MSSP). Each day, they are inundated with incident alerts from various security incident and event management (SIEM) and endpoint detection and response platforms. Responding to these incidents efficiently is crucial, yet complex.
One of the most challenging aspects is knowing how to respond to different types of incidents. Each time a security incident occurs, they need to select and execute the appropriate response actions. Traditionally, this is done manually. It requires security practitioners with knowledge in multiple domains including broad security tool expertise.
Recently, automation has promised to streamline the time and expertise required to respond to security incidents.
Enter SOAR, Ever So Briefly
The most prominent solution for automating incident response has been security orchestration, automation and response (SOAR) solutions. In the Hype Cycle for Security Operations, 2024, Gartner defines SOAR as, “solutions that combine incident response, orchestration and automation, and threat intelligence (TI) management capabilities in a single solution”.
However, in the same report, Gartner now classifies SOAR as “obsolete”. Why?
Two likely reasons come to mind. The first reason for SOAR’s demise is that SOAR required security operation center and MSP teams to invest considerable resources in their engineers to support SOAR’s development requirements. A related reason is that SOAR ended up being a bit of an island at the end of the threat detection, investigation and response (TDIR) process. In hindsight, it turns out that tighter integration and context sharing throughout the TDIR process was needed.
ContraForce Gamebook Automation
For some time now ContraForce Gamebooks, the response playbooks built into the ContraForce platform, have overcome the short falls of SOAR for MSPs by closely integrating threat response with the rest of the TDIR process and reducing the time and engineering expertise needed to manage incident response.
Today, we are excited to announce that we have further improved response efficacy with the release of Gamebook automation. As an MSP, you can now set up Gamebooks to automatically run when a SIEM rule is triggered; reducing manual effort, improving response times, and ensuring consistency in incident management.
Gamebook automation further streamlines the time you require to deliver a managed detection and response (MDR) service and reduces the requirement for security expertise for most TDIR use cases. With Gamebook automation, you effectively take the human out of the threat response process and simplify the management of security operations at scale across multiple customers.
Gamebook automation also reduces the cost of delivering an MDR service. Not only do our Gamebooks eliminate your need to make additional investments in SOAR technologies, but they also help you manage staffing costs by reducing manual effort.
That being said, we also realize that implementing automated response playbooks is a big step for most MSPs. It should be no surprise then that we allow you to move as fast, or as slow, as you want with Gamebook automation. We provide you with clear visibility and control over which Gamebooks are set to “auto-run". You can enable or disable the auto-run feature for a recommended Gamebook for any detection rule.
And you can also automate Gamebooks on a client-by-client basis to match your clients’ requirements. For example, certain clients may not want you to auto-run Gamebooks that isolate machines as some may be deemed to be business critical.
To ensure you have the governance you need in place, we also allow you to closely monitor your organization’s use of Gamebook automation. For example, you can receive notifications whenever an automated gamebook is executed. The ContraForce platform also maintains an audit trail of all Gamebook automation changes and executions for transparency and compliance. And we offer insights into the usage of the auto-run feature for continuous improvement.
Rule-to-Gamebook Mapping
With this release, ContraForce also provides you with a summary page where you can see which Gamebooks are mapped to which detection rules, with a separate summary page for each client that you support.
ContraForce automatically maps MITRE ATT&CK techniques to MITRE D3FEND responses for every rule you have deployed. In other words, we automatically map nation state level attack techniques to nation state defense techniques with no human or engineering investment required. The list of default recommendations will be varied for each of your clients, depending on what detection tools they have deployed.
In the summary page, you can also see whether auto-run is turned on or off for each Gamebook, which is especially helpful if you have multiple staff interacting with the same client.
Furthermore, you can see detailed descriptions of each Gamebook, and the individual actions and steps that make up the Gamebooks, to understand their impact and actions. We’ve also made it easy for you to easily view and search through all rule-to-Gamebook mappings, and filter Gamebook recommendations by various parameters (workspace, data source, rule, severity, MITRE tactic, version, etc.) to quickly find relevant information.
In summary, we’re excited to release Gamebook automation and mapping to allow you to respond more effectively and improve the overall security posture of your clients.
Both Gamebook automation and mapping are currently available for Microsoft Sentinel. As a result, when you use ContraForce to manage threat response for your Sentinel clients you can simplify your workflow since Sentinel lacks both response playbook recommendations and multi-tenant threat response management.