Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/6/2018
10:30 AM
Mike Fowler
Mike Fowler
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Boosting SOC IQ Levels with Knowledge Transfer

Despite shortages of skills and staff, these six best practices can improve analysts' performance in a security operations center.

Increased security incident workloads coupled with a shortage of skilled response experts are stretching many security operations centers (SOCs) to the breaking point. The fallout can lead to costly and damaging breaches that go undetected until the damage is already done.

One crucial step in improving the effectiveness and productivity of a SOC is knowledge transfer between incident responders. This not only supports the professional development/training of less-experienced SOC personnel but also ensures "tribal knowledge" is retained within the organization when staff turnover occurs.

Unfortunately, investing in a formal process for training and knowledge transfer is often a low priority for organizations because of resource and budget restrictions. Training generally takes a backseat for security team members who are deluged with managing daily alerts and investigations. In addition, it can be difficult to gauge the return on investment (ROI) of a knowledge-transfer process.  

As a result, knowledge transfer becomes an ad hoc affair for many organizations. Typically, new employees are handed basic information and thrown into the deep end without much formal orientation on a SOC's best practices, policies, and procedures for incident response. The resulting lack of consistency among team members can lead to poor job performance.

SOC Knowledge Transfer
At its core, the transfer of knowledge within a SOC relates to incident response processes, intelligence, and procedures from a senior, experienced staff member to his or her less-experienced colleagues. It plays a vital role by exploiting existing resources and expertise often referred to as tribal knowledge to improve the efficiency of incident analysis, investigation, and remediation processes.

The Essentials
While experience is known to be the best teacher, passing on lessons learned from senior employees to junior ones can be time-consuming and inefficient when performed manually.

One of the reasons for this: knowledge transfer is not limited to SOCs and incident responders. Legal staffers also need to be included for regulatory compliance, while the human resources department needs to be involved for personnel issues, especially when insider threats are involved. HR should work closely with all teams and be aware of the security incident processes taking place within the organization. Finally, management stakeholders need to be kept in the loop for ROI issues and funding.

Implementing an automated approach using a centralized database and structured playbooks will ensure knowledge transfer processes are repeatable, defensible, and consistent.

Start with Goals
It's best to establish clear-cut goals before designing a knowledge-transfer program. These can include:

  • Standardizing information gathering across incidents
  • Establishing a common rule set for remote incident handlers
  • Preventing knowledge loss
  • Improving incident response times

Implement These Six Best Practices

1. Fine-tune the message.
Every knowledge-transfer program needs to deliver as much context as possible to ensure the clarity of the process so employees can understand issues in terms of their own experiences. The program must appeal primarily to personnel who will get the most benefit from the information — those who do the work.

Honing the message requires collaborating with key members of the SOC team, so details and tone can be fine-tuned.

2. Develop comprehensive documentation.
The information should focus on clearly defined goals for each audience. IT security has one set of goals, legal/HR another, senior stakeholders a third. The materials should provide the resources and guidelines to help each user population master the specific tasks associated with their role. 

The documentation should be based on regulatory frameworks and/or industry policies and best practices. All of these ensure validity for the process of knowledge transfer.

3. Determine the appropriate delivery method.
While manual processes play a role in certain elements of knowledge transfer, the primary approach should be formalized through training sessions led by senior SOC team leaders.

Other useful approaches include: passing messages along via an internal email list; using a chat program; and providing access to webinars and online content, so incident responders can find answers to questions quickly.

4. Centralize knowledge.
Establish a formal knowledge database of content and structured playbooks that capture security orchestration, automation, and response steps to accelerate incident response workflows.

5. Designate a messenger.
Ideally, this should be a functional leader. In addition, organizations should encourage a cross-section of subject matter experts to contribute opinions and knowledge, and ensure these people are included in periodic reviews.

6. Evaluate the results.
An integral part of the post incident response and reporting process should follow a set standard. Results should be reviewed after every incident to determine if knowledge transfer was missing or if any additional knowledge was needed and should be added to future processes. Training materials should be living documents with period reviews to ensure they are kept up to date.    

A shortage of experienced security professionals, staff turnover, and increasing pressure to do more with less has left many SOCs spread very thin. Smart organizations have identified knowledge transfer as an invaluable tool for boosting the efficiency and performance of their security organizations using existing resources.

Done properly, knowledge transfer is a highly effective and cost-efficient way to train new SOC personnel, retain tribal knowledge, and accelerate the professional development of junior analysts.

Related Content:

Mike Fowler is Vice President of Professional Services for DFLabs, a provider of security orchestration, automation, and response (SOAR) technology. He is an expert in cybersecurity investigations and forensics and has trained forensic investigators for the US Department of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...