COPS Open Incident Response Standard Hits the Scene

Demisto has announced an open industry standard to build and share cyber threat incident response playbooks.

The Collaborative Open Playbook Standard, or COPS, allows sharing of standard playbooks and incident response procedures. COPS uses YAML as the exchange format and has a schema specifically designed for security operations, and is not proprietary.

As attackers collaborate to create more sophisticated attacks, the security industry has lacked an open incident response standard to create response procedures that use collective knowledge. While security intelligence solutions which share just threat information exist, the standard allows organizations to collaborate and build response procedures together or contribute back to the community for use by other organizations.

“Incident response procedures have always been ad-hoc and unstructured with varying degrees of effectiveness,” said Stuart McClure, the former global CTO McAfee and founder at CEO of Cylance. “There is a real need for us to coordinate across companies and vendors to build standard, well-thought-out response procedures. Demisto’s creation of a standard, non-proprietary exchange format is a big step in the right direction. All organizations will be able to build and adopt playbooks, share them and improve them continuously using the standard. This will definitely result in organizations being better prepared for the future attacks.”

The new open standard also facilitates automation and coding into playbooks of internal procedures on security operations and incident response which previously remained in dusty folders, static documents, wiki docs and presentations. Now these documents and procedures can be shared across organizations by creating playbooks using the standard format.

 “While cybercriminals collaborate to attack and steal from organizations, our industry until now has lacked a means for sharing best practices around incident response and community development of playbooks,” said Dan Sarel, Demisto co-founder and VP of product. “At Demisto we believe that the only way to combat cybercrime is through collaboration and we are proud to offer today a major step in this direction.”

The company also said that playbooks created with both the free and paid versions of Demisto’s bot-powered security ChatOps platform can be exported and converted to other product formats. Tasks and procedures can also be automated via Demisto’s platform and the company’s library of hundreds of open-source automation scripts, which can be used to automate actions across more than 40 integrated security solutions.

Sarel added, “Organizations can now automate and track their processes for incident response using playbooks developed in Demisto Free Edition, which are easy to create and do not lock the organization into a single platform.”

Photo © LongQuattro

What’s Hot on Infosecurity Magazine?