Knowledge Management for Security & Incident Response

Knowledge Management (KM) isn’t a topic I remember being presented at a FIRST conference before, but Rebecca Taylor (video) made a good case for its relevance. Security and incident response use and produce a lot of information – a Knowledge Management approach could help us use it better. Most teams quickly recognise the benefits of having knowledge recorded, rather than just in individuals’ heads, so most will have contacts list, processes and playbooks. Many are also asked to provide statistics. But KM could also help with things like internal and external knowledge bases, from tips for effective forensic investigations to threat intelligence or customer Frequently Asked Questions.

The first step in making this information useful is to know where it is; then attach metadata, such as when it should be used, when it was last checked/updated, etc. Just establishing these single points of truth can build confidence in the information and make the team’s work more effective. But KM seems to call for a more dynamic approach – it’s “knowledge” management, not just “document” management – where those who use information participate in improving it. So the knowledge system also needs to help users and authors communicate and collaborate, both to mark “good document: still relevant” and “I had problems interpreting this bit”. Somewhere around here, we should be moving from recorded information to shared knowledge, I think.

Systems need to support this way of working – for example change control must balance ease of updating and maintaining accuracy – but we also need to promote the right culture. Staff should be encouraged to identify opportunities and problems: those who help to improve knowledge should be recognised and rewarded. One way to do this is to use a KM approach to look at known pain points or inefficiencies: for example rapid sharing Indicators of Compromise between teams working on different engagements.

KM can even help with future planning. Looking at which information is being actively used (and, conversely, sought but not found) can help us make that easier to find and/or justify effort to improve it. If those using a process are discussing changes, can we anticipate, and pre-approve, any variations of policy or mission that may be needed? There’s a link here, I think, to Vilius Benetis’ talk on CSIRT improvement. A proactive review, ideally every few months, should check: does this still work, could it work better?

While many companies offer “knowledge management” software, that’s not the only option. Rebecca’s talk included effective examples of both a customised commercial system and one (for forensic practitioners, including a Knowledge Base, processes and templates) using Microsoft Teams. Starting small/focussed is definitely the way to go. Identify an area where there’s an obvious need – whether in a particular team or subject area or for management or funders – and use a KM approach to make their work easier. When that succeeds, you’ll have champions to support your work on the next area. Above all, treat KM as a tool to help make improvements, not a thing that should be “done”.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *