Imagine being a patient in a hospital, and when your knowledgeable caretaker leaves for the day, the incoming attendant is unfamiliar with your condition, medication needs and other specifics about your case. Aside from the obvious anxiety and feelings of abandonment you would feel, you also would run the risk of receiving error-prone or incorrect treatment.

Now think about cyber threats. They can happen at any time, and once they arrive, they aren’t always easily extinguishable. Like medical facilities, security is a continuous operation, requiring well-coordinated shift handovers inside the SOC to ensure communication is shared and continuity and visibility are maintained. 

Free Resource: A Technical Guide to Remote Security Operations

But during the shift-change process, gaps can arise, such as:

1) Dropped Tasks: From one shift to the next, not all the tasks are handed over, so some fall through the cracks.

2) Lack of Information: Not all details about ongoing cases are shared, resulting in redundant work being done or  worse specific investigations being skipped entirely because it was assumed they were completed by another shift.

Because of these gaps, analysts tend to spend too much time following up with each other to ensure items are completed. With major incidents, this may mean keeping workers from previous shift on for a partial or even full second shift until the incident is closed out. The ramifications of being overworked in this way are well documented.

Getting a Process in Place

Decide on the Basics

Before you can succeed with shift handoffs, you need to decide how you will design your shifts. 

  • Will shifts be staggered? 
  • Will they be covered from geographically different regions (i.e. “follow the sun” model)? If so, handovers may be challenged by language and cultural differences.
  • Do you allow for people to move shifts (i.e. work the early shift one week and the graveyard the next)? If shifts will be set and no one will be changing then you can create shift teams. If shifts rotate, you need to ensure analysts work each shift for a set period of time to ramp to the specific types of cases and ancillary work that each shift is responsible for. On the other hand, rotating shifts can infuse a fresh set of eyes to processes or problems. It also may help retain talent, as working consistently irregular hours can have a negative impact on one’s health.

Properly Share Communication

A common misconception is that when you work shifts you punch in and punch out like in the old factory days. In the SOC, this is not the case. Active cases being worked may require you or someone from the team to arrive early to receive a debriefing and stay late to deliver your own to arriving workers (as well as complete any pending paperwork.) Streamlining the transfer process is critical but simple: Create a standard handoff log template that each shift uses. Communicate clearly tasks and action items. Be prepared for questions.

Log Activities

Security orchestration, automation and response (SOAR) technology can help in the logging process. In addition, SOAR gives managers the ability to automatically assign cases to the appropriate analyst. Through playbooks, escalations can be defined and automated based on the processes that are unique to your organization. 

Tim Condello is senior customer success manager at Siemplify.