I've had the privilege of working in a few different SOCs at various maturity levels ranging from the stony shores of regulatory compliance - "Yes, we have a security solution", to the deep shark-infested waters of a global enterprise under frequent attack by nation state-sponsored attack groups. Throughout all of these different engagements, I've worked at many skill levels, from junior / Level 1 analyst through to Incident Response team lead, content engineer, and Data and Intelligence analyst. If I were to pick a single problem needing the most attention across all of those experience levels, it would be communication among teams, or lack of it!
Communication is a "loaded" term, portraying numerous mechanisms to ensure a message is clearly delivered, understood and acted upon appropriately. I warn you that email doesn't really abide by the 4 requirements of successful communication, because there's no assurance it will in fact be:
- Acted upon
Without assurance of the above four points, the communication medium is at risk of failing. A skilled communicator is someone who is able to portray a message, is confident the recipient understands that message and is capable of providing assurance the message was understood (ironically, or maybe not, this is how TCP/IP handles communication). An email only works if the message is responded to quickly and accurately, the sender of the original message receives a reply and responds with a third message of acceptance. Failure of the three-way communication stream can lead to doubt and uncertainty; if an urgent message to conduct a firewall block isn't responded to, was the block ever put in place?
At this point, I should point out that email can be a much easier method to convey complex or detailed information, especially given language barriers. However, if an email is extremely urgent (indicating an incident), follow it up with a phone call to discuss and ensure receipt, acknowledgement, understanding and an agreement to act upon the information (the 4 steps to successful communication). Still, many SOC members fall into the bad habit of spending far too much time reading emails, filing emails and, on occasion, searching for emails someone else filed away...
You wouldn't send a letter via a postal service to tell your CISO that the network has been breached by a nation state-sponsored group, and they're currently siphoning off valuable proprietary data... so why do it via an email?
Even outside of the high-tech world of security, there is abundant evidence that without proper communication, society cannot exist without falling into chaos. History is littered with disastrous events caused by a simple miscommunication, and yet it remains - even in this hyper-connected world of advanced technology - the bane of our existence.
Email is a cheap, fast, and generally effective way to communicate as long as it meets the four requirements discussed here. It's important to use email appropriately and maintain a level of comfort in employing other communication methods when needed. The result of poor communication, or failing the four requirements, can be disastrous (hyperlink to study). It's important to consider what the potential impact might be if the email you send is not received, read, understood, or acted upon. This will help you decide when to pick up the phone!
Author: Gareth Pritchard
Category: RSA Fundamentals, Blog Post
Keywords: Communication, Email, Fail, SOC