Tribal Knowledge: Did your security expert leave with all your knowledge?

How long does it take for your new security guru to get up to speed? Learning your network space, your tools, your process, and the coup de grace your networks normal behavior and abnormal behavior? Then he leaves. He leaves and takes all of the precious knowledge with him. You are left with nothing but his company provided laptop. Now it’s your job to check if he left any useful notes to add to the team wiki. Your effort will bear little fruit. He was good while you had him and now he is gone.

Over the past decade tools like the Wiki came into play. You made sure everything was documented in the team wiki. The tool matured a bit more into collaboration tools and you wrapped your business processes around them. However, here’s the issue with all of those tools and it is the documentation vs. actionable intelligence challenge. As your analyst’s knowledge of your network grows, they memorize things like what a few significant IP addresses on the network represent, knowing exactly how Fred’s PC accesses an annoying tracker website that sets off your security devices, or how the cowboy Sys-Admin kicks off ps-exec scripts from different machines at un-scheduled times. The human knowledge on network behavior and host relationships doesn’t have a place in a ticket or wiki and that tribal knowledge walks away when the analyst leaves your company. It shouldn’t.

I’ve recently been introduced to the concept of notebooks, a mainstay tool for Data Scientists where network data meets text elements, and in turn meets equations and algorithms. Two popular notebooks are Jupyter and Zeppelin notebooks. Notebooks allow you to write data queries and algorithms against your big data platform. Your security guru has a new place to put his knowledge. Whether that’s a python program that analyzes traffic anomalies or a spark query that tells you who your top talkers and DNS queries are for over the last six months. These queries and programs provide unique insight into your data without having to ask the analyst who just walked away for a better paying job. The analyst has a new place for applying actionable intelligence instead of just documenting knowledge.

When the analyst walks, his playbooks and tribal knowledge stays behind executing over your data beyond his tenure at your company. The same holds true for Big Data platforms that learn your networks behavior, continually adapting to the frequencies of data requests, how much data is requested, and where it requests data from. With a cyber security employee shortage estimated at 1.5 million by 2019, I’m going to stand on a strong tree branch and say we have an obvious fix; adopt artificial intelligence and automation in the SOC. Transforming the business problem from a people problem to an engineering problem. I’m a firm believer that engineering problems will be solved. People problems, well, I’m not a psychologist.

Share on