Applying SOAR to NIST’s Incident Response Playbook

Table of Contents

What the NIST Incident Response Playbook is

What the NIST Incident Response Playbook is not

Framework Functions

Automating Protection, Detection, and Response

Framework Implementation Tiers

Benefits of Adopting the NIST Incident Response Playbook

View More guides on Incident Response

Applying SOAR to NIST’s Incident Response Playbook

  • Incident Response
  • Security Orchestration Automation and Response

Posted on: November 04, 2020

Applying SOAR to NIST’s Incident Response Playbook
In 2013, NIST (National Institute of Standards and Technology) received executive order 13636 that required the federal government to work with key industry stakeholders to develop a voluntary framework. The result of the order was the launch of the first NIST Cybersecurity Framework in 2014, which consists of three elements - functions, categories and subcategories, and tiers - that help both public and private sector organizations to develop a playbook for reducing cyber risks targeting critical infrastructure.

Since the framework’s launch, additional components have been added into the mix, such as the Guide for Cybersecurity Event Recovery, OMB’s Cybersecurity Strategy and Information Plan (CSIP), the Incident Handling Guide, and contingency plans. Each maps back to a specific function in the framework and can guide organizations so that they can better secure their infrastructure and respond to threats as needed. It is also designed to deliver ideal business outcomes that better defend an organization.

Much of the framework and playbook indicate a great deal of labor-intensive work that is required to develop a successful system, but automation can be infused through much of it. In particular, three of the five primary functions can be automated through the use of security orchestration, automation, and response (SOAR) so that protection, detection, and response is made more efficient.

What the NIST Incident Response Playbook is

  • Framework
  • Customizable for every organization
  • Improve related internal and external communication
  • Determines critical services

What the NIST Incident Response Playbook is not

  • Maturity model
  • Step-by-step guide
  • Required in any industry
  • Limited to public sector organizations

NIST’s Framework is specifically designed to help guide organizations towards building a custom foundation, regardless of maturity level, to better handle and respond to risks and threats. More specifically, it offers five functions: identify, protect, detect, respond, and recover. OMB’s CISP takes the framework further to include human resources and the adoption of emerging technology, too.

Framework Functions

The five functions of the NIST incident response playbook are designed to cover cyber, physical, personnel impact, and drill down further via categories and subcategories. Combined, this results in the core of the framework.


The Identify Function assists in developing an organizational understanding of managing cybersecurity risk to systems, people, assets, data, and capabilities. 


The Protect Function outlines appropriate safeguards to ensure the delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.


The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables the timely discovery of cybersecurity events.


The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.


The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact of a cybersecurity incident.

Although components associated with the Identify and Recover functions can be benefited by automation, these are primarily documentation and communication driven. The Identify function in particular is an important guardrail to build processes that security operation teams should build before seeking out an automated solution. The other three functions can be greatly improved through SOAR or other automation solutions.

Automating Protection, Detection, and Response

According to NIST’s framework, the categories and subcategories that indicate repetitive and time-consuming events, can almost entirely be automated.

Protect Function

Under the Protect function, security teams should control access to necessary infrastructure, offer awareness and training, protect data integrity and against leaks, and information processes and procedures. Each of these elements can benefit from SOAR automation.

  • Access control - These are permission and role-based, with automation to lock down accounts when necessary.
  • Awareness and training - Built outside of SOAR, these solutions typically involve simulations, which do require automated responses and notifications. This goes for when a user reports regular threats, too.
  • Data security - SOAR is purpose-built to protect the data of an organization. This includes having tools in place to detect data leaks or breaches and is otherwise protected.
  • Information processes and procedures - Automation should be built into much of the process, including audit trails.

Detect Function

SOAR is one of the best solutions for detecting modern threats. Not only does it bring automation into the fold, but SOAR tools also make it easier to get a full 360-view of incidents and threats. Based on NIST’s Framework, organizations should be able to detect anomalies and events, have continuous monitoring, and a detection process. Through SOAR, all of this is automated, through to deduplicating cases and closing those that are benign or false positives, until it’s time for an analyst to further investigate.

Respond Function

Of the categories and subcategories under NIST’s Respond Function, SOAR can communicate, support analysis, and mitigate threats. However, in most cases analysis still require further evidence gathering and investigation, and will need to also confirm the best course of action to take. Then, once a threat is analyzed, an analyst can run a playbook against it which automates the response. This includes necessary communication with any related users and other team members.

Framework Implementation Tiers

Of note, the framework offers a four-tiered system. This allows organizations to identify the critical infrastructure that needs to be protected, the level of technology required and priorities to invest in, and the acceptable levels of risk for the organization. It does not indicate a maturity level nor a right vs wrong approach such as a certification or classification would.

The four tiers are split between risk management, third-party involvement, and effort required. According to NIST, “the Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor, and how well integrated cybersecurity risk decisions are into broader risk decisions, and the degree to which the organization shares and receives cybersecurity info from external parties.”

Benefits of Adopting the NIST Incident Response Playbook

The framework for the NIST Incident Response Playbook has been designed to be adaptable for any organization, regardless of size, budget, and resources. This includes supporting organizations that have a mature security process in place. Using the framework, security and IT teams can properly protect physical, cyber, and personnel from business-impacting events. When including automation and a SOAR solution, organizations can build beyond just a framework and into an efficient defense against related threats.

The Virtual Cyber Fusion Suite