A cybersecurity organization the most important piece of an company structure, the reason behind this is that without a good security operation your company will not survive the ever changing landscape of the threats behind malicious actors who want to damage your business reputation.
Without a fundamental understanding of why cybersecurity operations experience large amounts of burnout and non filled position, we need to expand our worldview and attempt to seek clarity on the objectives that will improve the cyber team while they provide their valuable time protecting the organization. Every second matters.
The first question you need to ask is why you need a knowledge base, what kind of information will be kept, and how this information will help your team.
Primarily, your why should be the same:
The purpose is to centralize data to result in improved efficiency of analyst investigation, cross collaboration, and knowledge of your clients.
We move forward by illuminating the how:
o Centralize client data.
o Retain important data in easy to store, easily visible location, from scattered sources (ex, offenses, reports, graphs, dashboards)
o Leverages existing documents, with direct links (such as SOW)
o External access for clients
o Easy to navigate & search friendly
o Provides a training resource for new and existing staff
o Help with scaling & growth
What is the exact information you will be looking to store. Surely, the following list will be universal across many SOCS:
o Basic Details (Specific Contacts and prime)
o Escalation guidelines for P1,P2,P3, etc..
o Environment (If possible, important log sources, whitelisted applications, users, services, that need to be recorded outside of SIEM tools)
o Future Tuning & Project Tracking
o Threat Advisories & Threat modeling
o Existing documentation (SOW)
o External portal
❗IMPORTANT❗ Do not double the amount of record keeping your team does with a knowledge base. Security operations already have enough work on their plate. Ensure that any information that is retained in separate platforms is seamlessly integrated to your knowledge base or don’t include it. Anything that requires constant manual labor to update in the knowledge base (hourly, daily..) shouldn’t be here.
Where is the ideal platform to host all this information – Confluence, SharePoint, word/excel documents, etc. My recommendation is to go with SharePoint or Confluence. The flexibility of these platforms allows you to grow your knowledge base the way you need, many large companies use these as intranet sites and not only knowledge bases.
The process of building out a knowledge base on SharePoint is something that I do have experience in, so I can break down a few steps that can make this easier for you.
Normally, you will arrive in SharePoint in what we call the “modern” version or just a simple document hub, this version looks better but allows for less editing features. I recommend switching over to the “classic” SharePoint which looks like this:
What you want to do is go to “pages” and select “Wiki Page” – this page will allow you to create website URL’s that are editable to a format similar to MS Word.
Look into app parts, these are specific apps that can be integrated into your knowledge base to improve performance. Some Apps I can recommend are:
Yammer, Spotlight Announcement, List Items, MS embedded
Comments are closed