Gamification of the SOC

Eva Belyaeva, Security Vision

Reasons for gamification

Often in the flow of work routine and constant immersion in the process, an experienced manager can immediately notice the first signs of fatigue and burnout among SOC analysts and operators. With even greater frequency, teams working continuously, motivated and enthusiastically on complex or monotonous tasks notice their ‘non-working’ state already after the fact.

In the end it turns out that the team has been transformed into a group of endlessly tired people, who are not helped neither by holidays nor by money, and who are ready to ‘quit this IS of yours’ right tomorrow and walk off into the sunset. It would seem that work in general is not connected with helping professions, but constant intellectual labour, burdened with overwork, still affects the state of workers despite the denial of the problem.

There may be different ways out of such situations (managers, team leaders and HR will tell you), but in fact such situations can be either avoided or at least refreshed by adding elements of games to the work routine, balancing on the fine line between work and entertainment.

What games are

Game practices used in such teams can be varied and multifaceted. Of course, it's worth initially identifying a few determining factors for choosing an event format:

1. how serious you are as a SOC;

2. what the response process is worth;

3. how much experience your staff has;

4. often the age threshold is important.

But really, for the most part, it all comes down to the first point.

Games for solving serious problems

Games suitable for commercial SOCs, for example, can hardly be called games, but in essence, if we slightly calibrate the attitude to work activities (and also to their results), it turns out that pentest and SOC are not just Red/Blue team competitions, but solving complex IS-oriented puzzles for time. Such turnaround will not be a panacea for complex tasks and boiling brains, but just the same reduction of seriousness will have a good effect on morale, the main thing is not to forget about responsibility and the fact that there is still work around.

Not so big difficulties

At least there is a place for imagination to run wild here, when all the problems are the same - the same tasks, the same people and the same problems. Everything isn't critical, there's no burning anywhere, there's just a lot of work and nowhere to go from it. When you lack variety, you can deploy near-SOC activities, adopting from the game sphere at least achievements and narrative-role model at the round table of cyberlearning.

Practical applications

What should be done if the decision to diversify or reduce the stress level of work processes has been made? Once the agreement of all involved has been secured, start implementing the practices.

Embedding in the workplace

Methods can also range from humorous to formal: even a simple change of the visual ‘battlefield’ can set the right mood for the players: for example, ‘hacking’ unix terminals, secretly communicating with colleagues on a real walkie-talkie and moving to a new office or corner of the open space to practice key tasks.

Cyber exercises, like routine case processing, can be transformed immediately, on dashboards - one customer added a separate tab with a work shift standings. Over time, excitement was awakened in the analysts, and periodically non-critical/known/duplicated incidents were closed with redoubled vigour. If we recall the achievements, another customer in his self-written BI platform provided one small but amusing element of the game - a pop-up ‘Achievement’ when the team crossed a new threshold in the number of incidents or in the speed of their processing.

Not every customer has the ability to redesign the visuals to suit the employees. But you can organise yourself within the team.

Embedding next to the workflow

If a work tool is formal and serious, a holiday does not save you and competitions with drills bring you to tachycardia and severe anxiety, you can use narrative as a temporary tool. The team of one of the integrators, having worked in outsourcing-SOC for a couple of years, switched from a formal approach to work to an informal one in the third year: analysts transformed into detectives, the process of investigation and response - into an exciting cinematic adventure. This, however, slightly transformed the reports - the dry business style became a novelistic detective story, stories about real incidents for the management were filled with memes, and visualisation offered crying and approving cats instead of red crosses and green ticks. However, though it sounds strange, such measures did help.

Fruits

Applied and utilised in time, gamification, whether ‘here-and-now’ or long term, allows the SOC team to switch and feel in a different role for a while, change the perspective of the work and look at their tasks from a new, more engaging perspective.

With the right atmosphere and shared jokes, competitions of interest prove to be better than any artificial team-building: if the team has defeated the silver or golden dragon in search of a stolen ticket (and what other associations Kerberos evokes), they can do the rest.