As Guru’s Risk and Compliance Officer, I spend time on the housekeeping of our posted standards and controls (security stuff we need to do), but I also keep an eye on how automation and knowledge management can enable “tactical security.” The industry term for this practice is “Security Orchestration, Automation and Response” (SOAR), but on its own, automation doesn’t always render successful outcomes.
For example, when Target stores were famously breached in 2013, the cyber attack worked, in part, because security staff overlooked a machine alert that had become buried in the chatter of their security sensor feeds. The breach ultimately cost the company $300 million and served as a cautionary tale of what can go wrong when too many inputs cause confusion.
Of course, not every missed alert leads to a Target-sized breach. Smaller attacks play out daily. In fact, according to the Breach Level Index, over four thousand sensitive records are compromised every minute. To stay ahead of these incidents, organizations typically employ a “security stack” to flag unusual behavior or possible intrusions against their network. This stack is watched by a core team of staff or a full-up Security Operations Center (SOC), and more and more these teams are being helped by SOAR applications to ferret out the digital chaff and act on what’s real. New SOAR vendors are dotting the landscape, with Gartner reporting over a dozen separate firms in the SOAR space.
Yet these glossy, turn-key SOAR applications don’t create and populate a knowledge base on their own, a place where analysts can find actionable, repeatable information to address incidents within their environment. This operational practice requires SOC personnel to break free of the knowledge trap and document concrete procedures for the broader team.
Documentation is particularly difficult in the SOC world, as the pace inhibits the creation and ongoing maintenance of playbooks and procedures. But shrugging off this step is not an option. Writes one security blogger, “Without playbooks, analysts tend to revert to their gut — which might be effective for the individual, but it leaves the entire team at the mercy of the knowledge that exists within that analyst’s mind.”
So what’s a harried security analyst to do?
Security, meet knowledge management
The answer comes by way of good old fashioned knowledge management, which is not just an additional duty within a busy SOC, but is an essential skill set. Case in point, the NIST Cybersecurity Workforce Framework lists knowledge management as a core expertise among security staff. This includes proficiency in content creation, collaborative tool management and the general ability to “identify, document, and access intellectual capital and information content.”
Industry experts agree that a knowledge base is a huge force multiplier within the SOC. In his article “Boosting SOC IQ Levels with Knowledge Transfer,” Mike Fowler calls out the specific requirement for a content store that everyone can access and easily maintain:
“Implementing an automated approach using a centralized database and structured playbooks will ensure knowledge transfer processes are repeatable, defensible, and consistent.”
One example of how SOAR and playbooks come together might be where a machine alert tells security staff that a large amount data is leaving the organization, funneling out to an unknown site. The analyst or dedicated responder acts on the alert and blocks the site from receiving any additional company data, but this is just the first step in what should be a series of human actions to understand the breadth of the incident and assess the impact. The playbook might say, “Look up the server address and domain of the download site,” followed by, “Search network logs and locate any previous downloads to that server.”
By executing these actions, the incident responder ultimately pieces together the how, what, when, and where puzzle so management can be informed and proceed accordingly (which would likely prompt its own playbook).
Why knowledge management should be part of your security stack
Although today’s SOAR tools can help ferret out threat indicators and tee them up for human analysts, it’s usually the case that tools on their own are not enough to respond to incidents and follow them through to resolution.
Proper security analysis, prevention, and response still depends on people and the timeless operational art of knowledge sharing.
Security personnel are far too scarce and time-constrained to ad-lib their way through each new incident. Readily accessible, updated, repeatable playbooks are the cornerstone for working smarter in an environment that is always potentially under attack.
To learn how Guru's security team uses Guru for security knowledge management, check out my blog post, Supplementing the Revenue Team: How Guru Benefits All Teams, Including Security.