Why Knowledge Transfer is Crucial in Incident Response

One common challenge for organizations in both the public and private sector that’s almost ubiquitous, is how successfully knowledge transfer happens between employees in a consistent way. A process for training and knowledge transfer often seems to be a low priority when other items are competing for time and money. As a result, knowledge transfer becomes somewhat an ad-hoc process. There’s frequently no formalized processes in place and this leads to inconsistent and unreliable performance of security team members.

What is knowledge transfer and why do we need it?

Essentially, it’s the transfer of knowledge related to incident response processes, intelligence, and procedures from senior, more experienced incident responders to less experienced ones, acting as an organizational force multiplier. “Force multiplier” here means taking existing resources and preparing them in a way that improves your organization’s or team’s processes. Depending on the industry, sometimes this is referred to as “tribal knowledge”.

Why do we need knowledge transfer as part of our IR infrastructure?

As threats evolve, our response capabilities have to evolve too. So how do we make sure that the knowledge picked up during an investigation by one incident responder is effectively communicated to the other team members? We all know that experience is the best teacher, but transferring the experience they have garnered from previous investigations can be time-consuming. One thing that incident response teams don’t have is a plethora of time to afford spending on all the tasks that need to be done. Therefore, a training program has to be built on a foundation of knowledge application (how it was effectively used), and not merely on the provision of knowledge (this usually comes out as anecdotal examples that frequently lack validity).

Knowledge transfer provides us with three key elements needed for a successful incident management process. That process has to be repeatable, defensible and consistent. Unfortunately, there are still many organizations that lack the capacity to transfer the knowledge and skills among employees, and a lot of the time as a senior more experienced expert leaves so does their knowledge. This is a significant issue that should be addressed and steps need to be taken in order to manage and mitigate this in the future.

Knowledge transfer is such an important segment of cybersecurity, it is strange how it’s still not a core part of SOC operations. There is hardware and software personnel leading to a growing necessity for integrating knowledge transfer into SOCs. Unfortunately, training doesn’t have a high priority when team members get so many alerts daily and are always reacting to the next potential serious incident. Typically an analyst joins an organization and they’re handed basic information and are thrown into the deep, without really having a good knowledge foundation.

Another important point to highlight is the difficulty to gauge the ROI. If you take an analyst that is untrained and measure how long it takes them to work on an incident compared to an analyst who is trained, it is a time-consuming process in itself. So, if we can’t gauge the ROI (it quickly becomes a non-priority considering the importance of SOC metrics, for example, mean time to detection, mean time to response and the number of incidents handled.

There are other alternatives to a formalized process, but with no structure it is easy for something such as an internal shared drive to become a dumping ground for information, leaving small positive impact on the daily operations.

Knowledge transfer doesn’t just concern incident responders. Legal experts need to be included for GDPR compliance and HR for personnel issues considering the dangers of insider threats. HR should be working closely with all teams and must be aware at all times of the processes taking place within the security team.

And finally, the stakeholders for ROI considerations and funding. It’s important that they know exactly how your processes and procedures work, even if it’s at a high level, so when the time comes to present quarterly reports and present them to the board, they’re have firm understanding exactly how it contributes to a positive ROI.

These are just some of the factors that determine why knowledge transfer should be a fundamental part of SOC operations and if knowledge transfer can be effectively facilitated it can have a positive impact on individual analysts, security teams and overall performance.  

In a future blog we will discuss the 5 key elements of implementing successful knowledge transfer in incident response, but if you can’t wait, why not check out our recent webinar on-demand now “How to Facilitate Knowledge Transfer in SecOps Utilizing SOAR Technology”.