Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/6/2018
10:30 AM
Mike Fowler
Mike Fowler
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Boosting SOC IQ Levels with Knowledge Transfer

Despite shortages of skills and staff, these six best practices can improve analysts' performance in a security operations center.

Increased security incident workloads coupled with a shortage of skilled response experts are stretching many security operations centers (SOCs) to the breaking point. The fallout can lead to costly and damaging breaches that go undetected until the damage is already done.

One crucial step in improving the effectiveness and productivity of a SOC is knowledge transfer between incident responders. This not only supports the professional development/training of less-experienced SOC personnel but also ensures "tribal knowledge" is retained within the organization when staff turnover occurs.

Unfortunately, investing in a formal process for training and knowledge transfer is often a low priority for organizations because of resource and budget restrictions. Training generally takes a backseat for security team members who are deluged with managing daily alerts and investigations. In addition, it can be difficult to gauge the return on investment (ROI) of a knowledge-transfer process.  

As a result, knowledge transfer becomes an ad hoc affair for many organizations. Typically, new employees are handed basic information and thrown into the deep end without much formal orientation on a SOC's best practices, policies, and procedures for incident response. The resulting lack of consistency among team members can lead to poor job performance.

SOC Knowledge Transfer
At its core, the transfer of knowledge within a SOC relates to incident response processes, intelligence, and procedures from a senior, experienced staff member to his or her less-experienced colleagues. It plays a vital role by exploiting existing resources and expertise often referred to as tribal knowledge to improve the efficiency of incident analysis, investigation, and remediation processes.

The Essentials
While experience is known to be the best teacher, passing on lessons learned from senior employees to junior ones can be time-consuming and inefficient when performed manually.

One of the reasons for this: knowledge transfer is not limited to SOCs and incident responders. Legal staffers also need to be included for regulatory compliance, while the human resources department needs to be involved for personnel issues, especially when insider threats are involved. HR should work closely with all teams and be aware of the security incident processes taking place within the organization. Finally, management stakeholders need to be kept in the loop for ROI issues and funding.

Implementing an automated approach using a centralized database and structured playbooks will ensure knowledge transfer processes are repeatable, defensible, and consistent.

Start with Goals
It's best to establish clear-cut goals before designing a knowledge-transfer program. These can include:

  • Standardizing information gathering across incidents
  • Establishing a common rule set for remote incident handlers
  • Preventing knowledge loss
  • Improving incident response times

Implement These Six Best Practices

1. Fine-tune the message.
Every knowledge-transfer program needs to deliver as much context as possible to ensure the clarity of the process so employees can understand issues in terms of their own experiences. The program must appeal primarily to personnel who will get the most benefit from the information — those who do the work.

Honing the message requires collaborating with key members of the SOC team, so details and tone can be fine-tuned.

2. Develop comprehensive documentation.
The information should focus on clearly defined goals for each audience. IT security has one set of goals, legal/HR another, senior stakeholders a third. The materials should provide the resources and guidelines to help each user population master the specific tasks associated with their role. 

The documentation should be based on regulatory frameworks and/or industry policies and best practices. All of these ensure validity for the process of knowledge transfer.

3. Determine the appropriate delivery method.
While manual processes play a role in certain elements of knowledge transfer, the primary approach should be formalized through training sessions led by senior SOC team leaders.

Other useful approaches include: passing messages along via an internal email list; using a chat program; and providing access to webinars and online content, so incident responders can find answers to questions quickly.

4. Centralize knowledge.
Establish a formal knowledge database of content and structured playbooks that capture security orchestration, automation, and response steps to accelerate incident response workflows.

5. Designate a messenger.
Ideally, this should be a functional leader. In addition, organizations should encourage a cross-section of subject matter experts to contribute opinions and knowledge, and ensure these people are included in periodic reviews.

6. Evaluate the results.
An integral part of the post incident response and reporting process should follow a set standard. Results should be reviewed after every incident to determine if knowledge transfer was missing or if any additional knowledge was needed and should be added to future processes. Training materials should be living documents with period reviews to ensure they are kept up to date.    

A shortage of experienced security professionals, staff turnover, and increasing pressure to do more with less has left many SOCs spread very thin. Smart organizations have identified knowledge transfer as an invaluable tool for boosting the efficiency and performance of their security organizations using existing resources.

Done properly, knowledge transfer is a highly effective and cost-efficient way to train new SOC personnel, retain tribal knowledge, and accelerate the professional development of junior analysts.

Related Content:

Mike Fowler is Vice President of Professional Services for DFLabs, a provider of security orchestration, automation, and response (SOAR) technology. He is an expert in cybersecurity investigations and forensics and has trained forensic investigators for the US Department of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Artist Uses Malware in Installation
Dark Reading Staff 5/17/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...