The Checklist Manifesto

One of the first professional books I read was “The Checklist Manifesto” [1], a short book with powerful takeaways about how working to a checklist can bring value and safety. The book starts with the topic of Healthcare but broadens to include examples from all career paths.

Without giving away the best bits I’ll borrow a couple of the quotes from the book.

Without trying to compare the amazing work of emergency medical professionals to SOC analysts, there is some definite overlap here:

“… then you must add the difficulties of orchestrating them in the right sequence, with nothing dropped, leaving some room for improvisation, but not too much.”
“… at any point, we are as apt to harm, as we are to heal”
“…you have to get the knowledge right and then you have to make sure that the 178 daily tasks that follow are done correctly despite some monitor’s alarm going off”
“But however supremely specialized and trained we may have become, steps are still missed. Mistakes are still made”

Regarding implementing a simple checklist covering extremely basic and obvious steps:

“The results were so dramatic they weren’t sure whether to believe them (the checklist) prevented 43 infections, 8 deaths and saved two million dollars in costs”

And in general:

“Experts are up against two main difficulties […] fallibility of human memory and attention, especially when it comes to mundane matters […] (and) people can lull themselves into skipping steps even when they remember them”

10 years ago when I started working in a SOC environment, when clients had a small handful of tools, tickets were steady so I had real energy and focus to invest every time. These days it’s common to have a backlog so long that we rush and skip critical steps.

You can probably see where I’m going here.  I’ve previously mentioned “Standardise” as a value of SOAR, but how would that look at different maturity stages?

  1. Not-yet-matured SOC: No formalised processes, or processes that are held in our memory
  2. Maturing SOC: Formalised processes are written down in a book somewhere (and only opened when the auditors visit) but actions are still done manually and from memory
  3. Mature SOC: Formalised processes that start automatically, in seconds, without exception, where every single step documented for audit, and have a standardised output with.

Just a thought.

Andy

[1]  ISBN: 0805091742

#Soar.. huh… what is it gooood for?#

#Absolutely… quite a lot.#

Whilst I’m not new to SOC/API/Coding/Integrations, I am slightly new to the concept of SOAR.

So in my first few weeks and months what what potential VALUE have I identified? (I will talk about specific detailed use cases in future posts, today I’m just looking at high level concepts).

In no specific order:

  1. Reduce alert volume – automation closing trivial tasks
  2. Reduce alert overhead – automated manual labour of more complex tasks
  3. Quicker to act – With fewer alerts in the first place, and with the remaining alerts having the donkey work done analysts can get to the meat of an incident quicker.
  4. Standardise your workflow – same work process fires every time, no deviation by junior/tired analysts
  5. Standardise approvals – An incident can mandate direct formal involvement and sign off from HR, business owners etc (non repudiation)
  6. Standardise your playbook – use a playbook that maps to a framework (e.g. NIST)
  7. Coach new tier 1 analysts – An interactive log of all tickets, and a playbook helping hand for them to get up to speed.
  8. Automation of boring/simple/repetitive – reduce eye and brain strain by removing the tasks that you have to do every day
  9. Revitalise legacy/simple tools – Things you can’t afford to replace (mission critical, expenseive..), and hook them into your modern security stack using SOAR
  10. Aid Incident Response – Have your IR team review your playbooks so that the right information is collected for post breach analysis.
  11. Reduce risk – Some remote selling services have moved to DTFM Payments to remove risk and scope of internal abuse. I see SOAR having a similar benifit to SOCs.

I have no doubt I will revise and restructure this list as time goes on, and add specific real world use cases.

Andy

Gartner – Soar Native SOC

“We also saw a small number of organizations adopting SOAR at the time of their initial SOC build-out”

https://blogs.gartner.com/anton-chuvakin/2018/07/13/soar-native-soc-can-this-work/

Words can’t express how jealous the SOC Analyst 2013 version of me would be hearing this, a SOC built around and focusing on the efficiencies of workflow and time savings!