SOC Series: Flawless Handoffs During Shift Change

SOC Series Sep 29, 2020

Today’s post continues an ongoing series on Polarity Security Operations Center (SOC) use cases; demonstrating how Polarity augments analysts to deliver superhuman recall and contextual awareness.

Whether a SOC operates 24x7, follows the sun, or hands off to a third party, it is critical that event analysis continues seamlessly across shifts and analysts. Critical actions may be missed during shift change, not covered in the shift briefing, or SOC collaboration tools may not retain analysis specific conclusions from one analyst to the next. Polarity empowers analysts not only with the right information to conduct their investigations, but strengthens the collaborative fabric between analysts, allowing them to reduce fatigue and minimize duplicative efforts.

Capabilities:

  • Polarity allows analysts to contribute towards a shared knowledge base that is accessed in a just-in-time format, such that the lessons learned by one analyst can be shared immediately as they becomes relevant. The knowledge base extends across:

-Time zones

-Shift changes

-Universal overlays on all tools

  • Polarity allows analysts to understand if others have encountered similar data points and entities on their screen, allowing them to tap into the organization's most valuable assetsits people.
  • Polarity has basic integrations that allow for instant language translation which enable analysts to gain viability into historical exchanges applicable to their investigations that contain foreign languages. For example:

-Developer notes within code bases

-Historical email interaction

-Tickets submitted in foreign languages

-Websites that contain foreign text

-Intelligence feeds / OSINT analysis that require translation

  • Coordination - Analysts can tackle more when they can quickly understand what has been analyzed by their colleagues as well as what determinations have been made and why.
  • Contribution – Instead of duplicating analysis, analysts can complement or contribute to the analysis of their peers, allowing for deeper analysis of the indicator or fresher perspective with the understanding that certain elements of an investigation have already been accounted for.
  • Knowledge Share – When analysts become aware of the decision processes or rationalizations for the action / inaction of their peers, they can collaborate not only on the end result, but foster mind-share that can be applied for higher quality analysis in the future.

Screenshots from the Polarity Heads Up Display

In the example above, an analyst is assuming duties at the beginning of his shift and is assigned a ticket.  Immediately, information about this investigation is populated in the Polarity Head’s Up Display showing the incoming analyst that information about this investigation was annotated by analysts in other shifts and is also in the current investigation channel.  Not only is the information populated immediately, but the analyst doesn’t waste time searching and gathering information about the investigations already completed on other shifts.  Administrators can set up channels for the analyst pool, individual shifts, and individual companies or organizations.  In this manner any relevant information on the information being viewed by the analyst is enriched by whatever any other analyst has done previously.

Polarity provides analysts continuity and consistency across shifts and skill levels including:

  • Coordination - Analysts can tackle more when they can quickly understand what has been analyzed by their colleagues as well as what determinations have been made and why.
  • Contribution – Instead of duplicating analysis, analysts can complement or contribute to the analysis of their peers, allowing for deeper analysis of the indicator or fresher perspective with the understanding that certain elements of an investigation have already been accounted for.
  • Knowledge Share – When analysts become aware of the decision processes or rationalizations for the action / inaction of their peers, they can collaborate not only on the end result, but foster mind-share that can be applied for higher quality analysis in the future.

What Next?

Get your Polarity Community Edition today, or register for a free Jam Session with Polarity’s resident SOC expert, Terry McGraw.

Register now for a special Community Tech Training midway through the SOC Use Case Series, where Terry will share the top 3 use cases covered in our SOC blog series, as well as a preview of the final 6 posts in the series.

Meet the expert: Terry McGraw

Background: Terrence “Terry” McGraw is a retired Lieutenant Colonel from the United States Army and now serves as the President and principal consultant, of Cape Endeavors, LLC, with over 20 years of providing expertise in cyber security architectural design and operations in both commercial and government sectors.

Terry previously served as the Vice President of Global Cyber Threat Research and Analysis for Dell SecureWorks and President of PC Matic Federal.  He retired from the United States Army in 2014 completing 27 years of service; the last 10 years of his Army career were leading key Cyber initiatives for the Army’s Network Enterprise and Technology Command, Army Cyber Command and the National Security Agency (NSA). He has multiple combat tours with his culminating assignment, serving as the Director of Operations, Task Force Signal Afghanistan, 160th Signal Brigade (FWD), providing all strategic communications infrastructure in the theater of operations.


Education: BA in History, MSA in Information Systems Engineering, and a graduate of the prestigious US Army School of Information Technology’s Telecommunication Systems Engineering Course.


Relevant Experience: Terry’s work in the Army leading and operating some of the world’s largest and most complex networks as well as 6 years as Vice President of Global Cyber Threat Research and Analysis for Dell SecureWorks providing managed cyber security services to over 4,000 commercial clients and leading it’s six Counter Threat Operations Centers gives him a deep and broad understanding of the Cyber Threat Landscape.  His entire professional career has been in designing and managing resilient network architectures ensuring the operational readiness thereof.