Perimeter

12/6/2018
10:30 AM
Mike Fowler
Mike Fowler
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Boosting SOC IQ Levels with Knowledge Transfer

Despite shortages of skills and staff, these six best practices can improve analysts' performance in a security operations center.

Increased security incident workloads coupled with a shortage of skilled response experts are stretching many security operations centers (SOCs) to the breaking point. The fallout can lead to costly and damaging breaches that go undetected until the damage is already done.

One crucial step in improving the effectiveness and productivity of a SOC is knowledge transfer between incident responders. This not only supports the professional development/training of less-experienced SOC personnel but also ensures "tribal knowledge" is retained within the organization when staff turnover occurs.

Unfortunately, investing in a formal process for training and knowledge transfer is often a low priority for organizations because of resource and budget restrictions. Training generally takes a backseat for security team members who are deluged with managing daily alerts and investigations. In addition, it can be difficult to gauge the return on investment (ROI) of a knowledge-transfer process.  

As a result, knowledge transfer becomes an ad hoc affair for many organizations. Typically, new employees are handed basic information and thrown into the deep end without much formal orientation on a SOC's best practices, policies, and procedures for incident response. The resulting lack of consistency among team members can lead to poor job performance.

SOC Knowledge Transfer
At its core, the transfer of knowledge within a SOC relates to incident response processes, intelligence, and procedures from a senior, experienced staff member to his or her less-experienced colleagues. It plays a vital role by exploiting existing resources and expertise often referred to as tribal knowledge to improve the efficiency of incident analysis, investigation, and remediation processes.

The Essentials
While experience is known to be the best teacher, passing on lessons learned from senior employees to junior ones can be time-consuming and inefficient when performed manually.

One of the reasons for this: knowledge transfer is not limited to SOCs and incident responders. Legal staffers also need to be included for regulatory compliance, while the human resources department needs to be involved for personnel issues, especially when insider threats are involved. HR should work closely with all teams and be aware of the security incident processes taking place within the organization. Finally, management stakeholders need to be kept in the loop for ROI issues and funding.

Implementing an automated approach using a centralized database and structured playbooks will ensure knowledge transfer processes are repeatable, defensible, and consistent.

Start with Goals
It's best to establish clear-cut goals before designing a knowledge-transfer program. These can include:

  • Standardizing information gathering across incidents
  • Establishing a common rule set for remote incident handlers
  • Preventing knowledge loss
  • Improving incident response times

Implement These Six Best Practices

1. Fine-tune the message.
Every knowledge-transfer program needs to deliver as much context as possible to ensure the clarity of the process so employees can understand issues in terms of their own experiences. The program must appeal primarily to personnel who will get the most benefit from the information — those who do the work.

Honing the message requires collaborating with key members of the SOC team, so details and tone can be fine-tuned.

2. Develop comprehensive documentation.
The information should focus on clearly defined goals for each audience. IT security has one set of goals, legal/HR another, senior stakeholders a third. The materials should provide the resources and guidelines to help each user population master the specific tasks associated with their role. 

The documentation should be based on regulatory frameworks and/or industry policies and best practices. All of these ensure validity for the process of knowledge transfer.

3. Determine the appropriate delivery method.
While manual processes play a role in certain elements of knowledge transfer, the primary approach should be formalized through training sessions led by senior SOC team leaders.

Other useful approaches include: passing messages along via an internal email list; using a chat program; and providing access to webinars and online content, so incident responders can find answers to questions quickly.

4. Centralize knowledge.
Establish a formal knowledge database of content and structured playbooks that capture security orchestration, automation, and response steps to accelerate incident response workflows.

5. Designate a messenger.
Ideally, this should be a functional leader. In addition, organizations should encourage a cross-section of subject matter experts to contribute opinions and knowledge, and ensure these people are included in periodic reviews.

6. Evaluate the results.
An integral part of the post incident response and reporting process should follow a set standard. Results should be reviewed after every incident to determine if knowledge transfer was missing or if any additional knowledge was needed and should be added to future processes. Training materials should be living documents with period reviews to ensure they are kept up to date.    

A shortage of experienced security professionals, staff turnover, and increasing pressure to do more with less has left many SOCs spread very thin. Smart organizations have identified knowledge transfer as an invaluable tool for boosting the efficiency and performance of their security organizations using existing resources.

Done properly, knowledge transfer is a highly effective and cost-efficient way to train new SOC personnel, retain tribal knowledge, and accelerate the professional development of junior analysts.

Related Content:

Mike Fowler is Vice President of Professional Services for DFLabs, a provider of security orchestration, automation, and response (SOAR) technology. He is an expert in cybersecurity investigations and forensics and has trained forensic investigators for the US Department of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
The Case for a Human Security Officer
Ira Winkler, CISSP, President, Secure Mentem,  12/5/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8651
PUBLISHED: 2018-12-12
A cross site scripting vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server, aka "Microsoft Dynamics NAV Cross Site Scripting Vulnerability." This affects Microsoft Dynamics NAV.
CVE-2018-8652
PUBLISHED: 2018-12-12
A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input, aka "Windows Azure Pack Cross Site Scripting Vulnerability." This affects Windows Azure Pack Rollup 13.1.
CVE-2018-8617
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8618
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8619
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Exp...