The Essential ‘Soft Side’ of Running a Security Operations Center Investigation


Some of the best practices can be learned from other criminal, terrorism incidents and law enforcement organizations.

Steve Bongardt is regional vice president of security consulting services at Fidelis Cybersecurity.

Your security operations have all the technical controls, processes and equipment in place. You have all the right experts, yet, you need more. What about your team’s ability to communicate and share information, their state of mind and behavior?

It’s an important factor to a Security Operations Center, or SOC, investigation often missed. If you ignore the “people side” of the equation, other complexities can arise.

I learned a thing or two in my 20 years at the FBI as a member of the Computer Analysis Response Team, profiling units, major terrorism case responses and counterintelligence emergencies. Reflecting on human behavior (what I call “the soft side”), I experienced first-hand our emergency personnel’s response to the 9/11 terrorist attacks in New York, the crash of TWA Flight 800, the 1998 East African Embassy Bombings and International Olympic Command Posts. I see interesting parallels and similar behaviors tied to critical SOC breach investigations. Here are some similarities and insights:

1. You Can’t Perform at 100 Percent, 100 Percent of the Time

There is a tendency for those in command to run their people at 100 percent, allowing no leeway in case of a crisis. High-functioning organizations typically hire individuals with a “can do” attitude – often specifically for the traits and characteristics needed to perform at a high level for extended periods of time.

Be extremely conscious of this tendency. We all struggle – stretching limited resources and pushing teams even more in crisis situations. The circumstances can reach a breaking point if your team is already burned out when escalation is necessary.

To avoid the detrimental effects of burnout, first foster an environment where people can give feedback without fear of retaliation. Then, as you assess performance and build a foundation, focus on work streams and visibility, integration and automation of your information infrastructure. These metrics reduce workload and stress, allowing your team to focus on hunting, and giving you the excess capacity you need.

Be sure to create work streams that provide the deliverables and reports you require right from the beginning. For example, using analysts to create high-level executive briefs is sometimes necessary, but don’t burn them out with low-level tasks, such as repackaging the same information into different formats. It’s not an efficient use of their expertise and time.

2. Designate a Devil’s Advocate

We seek information that confirms what we already know or believe, and that fits our schemes as to how our world works. It’s called “cognitive bias.” It can literally be a killer.

Take law enforcement agencies, for example. Often, they have the name or other identifying information of the actual offender in their database early on. Repeatedly, the investigation goes in the wrong direction as investigators seek information that aligns to what they believe is the correct scenario or suspect.

So, how do you prevent falling into this trap?

I’ve found it useful to randomly select a devil’s advocate. Their job is to poke holes in conventional theory. Convinced the perpetrator is an outsider? Designate someone to track and argue a pro-insider angle. The broader the competing scenario, the better the approach – making it possible to explore several different investigative trails.

Why choose a devil’s advocate randomly? Some people love to play the role, but if they are always that person, they may become disliked in the long run.

3. Seek Windows, Not Mirrors

Leaders of security teams often fall short in one area – groupthink. This is commonly driven by teams that echo the boss’ opinion. As a manager, seek people to give you “windows” into new ways of thinking – not “mirrors” of what they think you want to hear. Then, encourage your people to provide windows.

One tactic is to get the input of others, especially in an open forum with their teammates before you share your thoughts. After everyone provides their input, and you ask your critical questions, tell them your line of thought and which actions you think should be taken.

Human behaviors and corresponding actions during a response case can either negatively or positively impact a critical investigation. Security organizations must consider how teams and incident responders work efficiently during intensive response scenarios. Some of the best practices can be learned from other criminal, terrorism incidents and law enforcement organizations.