Increased security incident workloads coupled with a shortage of skilled response experts are stretching many security operations centers (SOCs) to the breaking point. The fallout can lead to costly and damaging breaches that go undetected until the damage is already done.
One crucial step in improving the effectiveness and productivity of a SOC is knowledge transfer between incident responders. This not only supports the professional development/training of less-experienced SOC personnel but also ensures "tribal knowledge" is retained within the organization when staff turnover occurs.
Unfortunately, investing in a formal process for training and knowledge transfer is often a low priority for organizations because of resource and budget restrictions. Training generally takes a backseat for security team members who are deluged with managing daily alerts and investigations. In addition, it can be difficult to gauge the return on investment (ROI) of a knowledge-transfer process.
As a result, knowledge transfer becomes an ad hoc affair for many organizations. Typically, new employees are handed basic information and thrown into the deep end without much formal orientation on a SOC's best practices, policies, and procedures for incident response. The resulting lack of consistency among team members can lead to poor job performance.
SOC Knowledge Transfer
At its core, the transfer of knowledge within a SOC relates to incident response processes, intelligence, and procedures from a senior, experienced staff member to his or her less-experienced colleagues. It plays a vital role by exploiting existing resources and expertise often referred to as tribal knowledge to improve the efficiency of incident analysis, investigation, and remediation processes.
While experience is known to be the best teacher, passing on lessons learned from senior employees to junior ones can be time-consuming and inefficient when performed manually.
One of the reasons for this: knowledge transfer is not limited to SOCs and incident responders. Legal staffers also need to be included for regulatory compliance, while the human resources department needs to be involved for personnel issues, especially when insider threats are involved. HR should work closely with all teams and be aware of the security incident processes taking place within the organization. Finally, management stakeholders need to be kept in the loop for ROI issues and funding.
Implementing an automated approach using a centralized database and structured playbooks will ensure knowledge transfer processes are repeatable, defensible, and consistent.
Start with Goals
It's best to establish clear-cut goals before designing a knowledge-transfer program. These can include:
- Standardizing information gathering across incidents
- Establishing a common rule set for remote incident handlers
- Preventing knowledge loss
- Improving incident response times
Implement These Six Best Practices
1. Fine-tune the message.
Every knowledge-transfer program needs to deliver as much context as possible to ensure the clarity of the process so employees can understand issues in terms of their own experiences. The program must appeal primarily to personnel who will get the most benefit from the information — those who do the work.
Honing the message requires collaborating with key members of the SOC team, so details and tone can be fine-tuned.
2. Develop comprehensive documentation.
The information should focus on clearly defined goals for each audience. IT security has one set of goals, legal/HR another, senior stakeholders a third. The materials should provide the resources and guidelines to help each user population master the specific tasks associated with their role.
The documentation should be based on regulatory frameworks and/or industry policies and best practices. All of these ensure validity for the process of knowledge transfer.
3. Determine the appropriate delivery method.
While manual processes play a role in certain elements of knowledge transfer, the primary approach should be formalized through training sessions led by senior SOC team leaders.
Other useful approaches include: passing messages along via an internal email list; using a chat program; and providing access to webinars and online content, so incident responders can find answers to questions quickly.
4. Centralize knowledge.
Establish a formal knowledge database of content and structured playbooks that capture security orchestration, automation, and response steps to accelerate incident response workflows.
5. Designate a messenger.
Ideally, this should be a functional leader. In addition, organizations should encourage a cross-section of subject matter experts to contribute opinions and knowledge, and ensure these people are included in periodic reviews.
6. Evaluate the results.
An integral part of the post incident response and reporting process should follow a set standard. Results should be reviewed after every incident to determine if knowledge transfer was missing or if any additional knowledge was needed and should be added to future processes. Training materials should be living documents with period reviews to ensure they are kept up to date.
A shortage of experienced security professionals, staff turnover, and increasing pressure to do more with less has left many SOCs spread very thin. Smart organizations have identified knowledge transfer as an invaluable tool for boosting the efficiency and performance of their security organizations using existing resources.
Done properly, knowledge transfer is a highly effective and cost-efficient way to train new SOC personnel, retain tribal knowledge, and accelerate the professional development of junior analysts.