Chapter 5. Enter the Playbook

“Computers are useless. They can only give you answers.”

Pablo Picasso

Most large entities are faced with a crazy level of network and organizational complexity. Overlapping IP address space, acquisitions, extranet partners, and other interconnections among organizational and political issues breed complex IT requirements. Network security is inherently complicated with a large number of disparate data sources and types of security logs and events. At the same time, you’re collecting security event data like IDS alarms, antivirus logs, NetFlow records and alarms, client HTTP requests, server syslog, authentication logs, and many other valuable data sources. Beyond just those, you also have threat intelligence sources from the broader security community, as well as in-house-developed security knowledge and other indicators of hacking and compromise. With such a broad landscape of security data sources and knowledge, the natural tendency is toward complex monitoring systems.

Because complexity is the enemy of reliability and maintainability, something must be done to combat the inexorable drift. The playbook is an answer to this complexity. At its heart are a collection of “plays,” which are effectively custom reports generated from a set of data sources. What makes plays so useful is that they are not only complex queries or code to find “bad stuff,” but also self-contained, fully documented, prescriptive procedures for finding and responding to ...