[Chris Crowley is a cybersecurity instructor and industry analyst. This is Part 2 of his series of easy-to-use “best practice” documents – a veritable Swiss Army Knife of security operations assets on topics ranging from email writing to shift handoffs to training – created to help SOC professionals save time on common housekeeping tasks. You can read Part 1 here.]
Security operations centers exist to delivery sustained monitoring and response capabilities. Well-performed shift handoffs are a part of that operational strategy.
It’s no surprise that longer-duration handoffs will usually deliver more effective transfer of knowledge. But you are not required to dedicate a long amount of time to transition from one staff to the next.
This post covers the handoff of information across three categories: essential, optimal and thorough.
SEAT-SWAP is a contrived acronym, but let’s use it to help you remember and to structure the important items of shift handoff: Staff, Explanation, Awareness and Transition (SEAT) Situation, Written, Appropriate, Persistent (SWAP).
First, staff, of course, need to participate in a shift transition. This means they’re “present” and available to do the handoff. If the time allocated to handoff from one staff member to another is in some way compromised, then the handoff doesn’t work well.
Think about your personal routine when arriving at work. Are you ready to receive a bunch of information upon arrival? If not, you’re not the only one. Scheduling a shift-handoff discussion in the first 30 minutes of shift start is sub-optimal.
What is discussed in the handoff is important. Explain the active situations, the concerns, the work that has been done to date to address items and the proposed work to continue these efforts.
There are tools that will help with this (for example, Slack plugins, checklists & forms, SOAR tools and dedicated handoff tools) but what’s important is that there is a genuine exchange of information among the parties. Too often, the handoff becomes routine servicing the almighty checklist, and not genuine explanations of what matters and why it matters.
Details must be explained when there’s a specific problem. But you should also share information that would help avoid a problem from occurring. Situational awareness is intended to guide future actions and decisions by bringing issues to visibility so they’re considered. In security, this often takes the form of threat intelligence when speaking about looming threats outside of the environment. But it should also involve briefings related to suboptimal operations or conditions inside of the information systems if these issues are known.
The continuation of action by the SOC should be seamless to its constituents. To accomplish this, the SOC must not depend on the capabilities of any one individual to deliver consistent service. This depends on multiple factors of development of standards, procedures, training, and information sharing in advance of the handoff itself. The shift change is more effective if staff are already practicing continuity and consistent operational excellence.
If this isn’t the case, the shift change activities won’t fix that. In fact, the shift change might be a cause of frustration due to inconsistencies. Fix the inconsistency problem via another mechanism, not the shift-change meeting. If inconsistencies exist, however, a shift change may need to be leveraged to quickly cross-train staff on appropriate standards, procedures and information dissemination.
To wrap up, let’s turn to the SWAP part of the acronym as a way encapsulate your mission when it comes to shift handovers.
Discuss the situation that exists.
This should be in a written form, as well as a recorded briefing that can be reviewed later. (Some people prefer to read it, some people prefer to listen and some people prefer to see it. This can change depending on the topic and your team’s attention bandwidth. Prepare all three all the time.)
This communication needs to be accurate, but also exhibiting a sense of urgency. (These items are primarily moderate, high, or urgent items. Other communication vehicles should exist for lower-priority items.)
Do this work persistently. (This is not something that can be done sometimes or as needed. This is durable and persistent. The shift change always reports, even if there’s a “nothing to report” statement.)
For even more help moving beyond the daily cyber grind and concentrating on what matters most – building resiliency and investigating and remediating real threats, fast – visit siemplify.co to download our free community edition and start SOAR’ing today.