How do you staff a SOC over the holidays?
By Lisa Tetrault, Vice President, Global Security Operations at Arctic Wolf
Dec 23, 2022

An introduction to this article appeared in the monthly Creating Connections newsletter put together by the women of The CyberWire. This is a guest-written article. The views and opinions expressed in this article are those of the authors, not necessarily the CyberWire, Inc.

How do you staff a SOC over the holidays?

The holiday season is a merry time for everyone. Preoccupied with gift-giving and decorating, it’s natural for people to let down their guard when hunting for great deals or responding to one-time requests from coworkers trying to plan their vacations. But threat actors don’t take time off, and as recent history has shown from Log4J and Kaseya attacks, attackers are poised to do the most damage when their targets are off celebrating outside the office.  

That’s why maintaining or hiring a fully staffed and prepared Security Operations Center can be critical for organizations trying to stay secure and prevent ill-timed breaches. But how can security leaders balance the need to require their staff to stay alert 24/7 with the social responsibilities that come with the holiday season? The answer, as it is in most situations in the cybersecurity industry, is to prepare well ahead of time for any possible scenario, no matter how far-fetched.  

As dire as it sounds, the recent history of large-scale holiday-weekend cyberattacks like Log4j and Kaseya should inform SOC leaders and analysts to always assume the worst on the happiest days of the year for many people. To prepare for these types of incidents, creating playbooks that cover the necessary steps to take if major vulnerability or supply-chain company is breached is the easiest way to cover all of the bases for, unfortunately, when an attack inevitably occurs. 

Analysts working during the holidays should be armed with information about how to engage the extended security team, how to remediate or shut off the access that attackers have to vulnerable systems or how to patch exploits in an emergency, even if it’s on Christmas morning. In addition, analysts should be informed of which business leaders or customers to notify in the event of a breach, and the most effective channels to communicate with them on if they’re away from their computer or with friends or family.  

These playbooks become the lifeline to many SOCs and allow the team the ability to focus on defending and executing during the security event, instead of performing non-value added work that could have been planned in advance. After the dust has settled, security leaders may also want to conduct a post-mortem analysis of what went well and what could be improved moving forward throughout the security event to update their incident response playbooks accordingly. 

SOC leaders advising their staff ahead of the holiday season can also help themselves by letting extended security staff and other employees know what to expect when they’re celebrating. IT Services, for example, can reduce the likelihood of a breach by reviewing their patch schedule and vulnerability management practices prior to a holiday. There’s nothing worse than team members urgently patching servers during the holidays because of a vulnerability that was known and could have been planned months prior. Staff in other departments should also be cautioned against launching new technology and service enablement leading into the holiday season, carefully weighing the security risks, even if it’s under a deadline. 

The newer a system or service is, the less familiar security staff will be with defending it, and the higher risk it presents to the entire company. You would not want to have a new webservice stood up right before the holidays that has your customer list open to the world because you were rushing to get it finished before going off on vacation; or a cloud object storage with private data exposed because you were rushing to configure it and overlooked the security best practices along the way. That access into your network would allow bad-actors entry that could have been prevented with the proper planning and time. 

Being over-prepared will allow you to effectively execute and defend against this type of event, but there’s more to maintaining a SOC than just writing security playbooks. Scheduling for holidays, in a perfect world, happens weeks and months in advance to grant staff the opportunity to take as much time with their friends or family as they need. Because of the influx of vacation requests and likelihood of an attack, security leaders should ensure that surge-support is always identified and available before it’s necessary, and plan for additional staff to be on-call if necessary. 

I’d also encourage leaders to get creative with their scheduling over a holiday period. If employees want to work remotely to be closer to family or friends, let them. If they want to break shifts up into smaller chunks, like 6-hour shifts instead of 8 or 12, that can be an easy way to boost productivity and morale. And encouraging staff to have a list of training, side projects or passion projects handy while work is slower during the holidays (while we hope that there are no security events) is a great way to make work fun while other employees might be off. Ultimately, planning well in advance to acquire extra resources and staff during the holiday season and having a bench deep of tasks that are full of learning and creative projects that can be selected should there be quiet time is the best way to keep employees happy and organizations safe. 

Lastly, don’t forget to thank your team that is working over the holidays.  These are the rockstars that make all of the magic possible while many of us take time to rest and recharge.