Perimeter

12/6/2018
10:30 AM
Mike Fowler
Mike Fowler
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Boosting SOC IQ Levels with Knowledge Transfer

Despite shortages of skills and staff, these six best practices can improve analysts' performance in a security operations center.

Increased security incident workloads coupled with a shortage of skilled response experts are stretching many security operations centers (SOCs) to the breaking point. The fallout can lead to costly and damaging breaches that go undetected until the damage is already done.

One crucial step in improving the effectiveness and productivity of a SOC is knowledge transfer between incident responders. This not only supports the professional development/training of less-experienced SOC personnel but also ensures "tribal knowledge" is retained within the organization when staff turnover occurs.

Unfortunately, investing in a formal process for training and knowledge transfer is often a low priority for organizations because of resource and budget restrictions. Training generally takes a backseat for security team members who are deluged with managing daily alerts and investigations. In addition, it can be difficult to gauge the return on investment (ROI) of a knowledge-transfer process.  

As a result, knowledge transfer becomes an ad hoc affair for many organizations. Typically, new employees are handed basic information and thrown into the deep end without much formal orientation on a SOC's best practices, policies, and procedures for incident response. The resulting lack of consistency among team members can lead to poor job performance.

SOC Knowledge Transfer
At its core, the transfer of knowledge within a SOC relates to incident response processes, intelligence, and procedures from a senior, experienced staff member to his or her less-experienced colleagues. It plays a vital role by exploiting existing resources and expertise often referred to as tribal knowledge to improve the efficiency of incident analysis, investigation, and remediation processes.

The Essentials
While experience is known to be the best teacher, passing on lessons learned from senior employees to junior ones can be time-consuming and inefficient when performed manually.

One of the reasons for this: knowledge transfer is not limited to SOCs and incident responders. Legal staffers also need to be included for regulatory compliance, while the human resources department needs to be involved for personnel issues, especially when insider threats are involved. HR should work closely with all teams and be aware of the security incident processes taking place within the organization. Finally, management stakeholders need to be kept in the loop for ROI issues and funding.

Implementing an automated approach using a centralized database and structured playbooks will ensure knowledge transfer processes are repeatable, defensible, and consistent.

Start with Goals
It's best to establish clear-cut goals before designing a knowledge-transfer program. These can include:

  • Standardizing information gathering across incidents
  • Establishing a common rule set for remote incident handlers
  • Preventing knowledge loss
  • Improving incident response times

Implement These Six Best Practices

1. Fine-tune the message.
Every knowledge-transfer program needs to deliver as much context as possible to ensure the clarity of the process so employees can understand issues in terms of their own experiences. The program must appeal primarily to personnel who will get the most benefit from the information — those who do the work.

Honing the message requires collaborating with key members of the SOC team, so details and tone can be fine-tuned.

2. Develop comprehensive documentation.
The information should focus on clearly defined goals for each audience. IT security has one set of goals, legal/HR another, senior stakeholders a third. The materials should provide the resources and guidelines to help each user population master the specific tasks associated with their role. 

The documentation should be based on regulatory frameworks and/or industry policies and best practices. All of these ensure validity for the process of knowledge transfer.

3. Determine the appropriate delivery method.
While manual processes play a role in certain elements of knowledge transfer, the primary approach should be formalized through training sessions led by senior SOC team leaders.

Other useful approaches include: passing messages along via an internal email list; using a chat program; and providing access to webinars and online content, so incident responders can find answers to questions quickly.

4. Centralize knowledge.
Establish a formal knowledge database of content and structured playbooks that capture security orchestration, automation, and response steps to accelerate incident response workflows.

5. Designate a messenger.
Ideally, this should be a functional leader. In addition, organizations should encourage a cross-section of subject matter experts to contribute opinions and knowledge, and ensure these people are included in periodic reviews.

6. Evaluate the results.
An integral part of the post incident response and reporting process should follow a set standard. Results should be reviewed after every incident to determine if knowledge transfer was missing or if any additional knowledge was needed and should be added to future processes. Training materials should be living documents with period reviews to ensure they are kept up to date.    

A shortage of experienced security professionals, staff turnover, and increasing pressure to do more with less has left many SOCs spread very thin. Smart organizations have identified knowledge transfer as an invaluable tool for boosting the efficiency and performance of their security organizations using existing resources.

Done properly, knowledge transfer is a highly effective and cost-efficient way to train new SOC personnel, retain tribal knowledge, and accelerate the professional development of junior analysts.

Related Content:

Mike Fowler is Vice President of Professional Services for DFLabs, a provider of security orchestration, automation, and response (SOAR) technology. He is an expert in cybersecurity investigations and forensics and has trained forensic investigators for the US Department of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.