Increased sophistication of today’s cyber threat landscape and mounting operational requirements of the enterprise put pressure on cyber teams to abbreviate or skip the “lessons learned” phase of their incident response process. Sacrificing this step can directly impact the maturity of a cyber program. Why? Experience has shown that organizations that perform effective lessons learned activities on cyber incidents reach a higher level of operational maturity—a maturity that leads to improved cyber incident management and reduced repeated compromises.
What are the Goals of Lessons Learned Activities?
When the remediation actions of an incident are completed, it is time for the team to discuss and share their observations and discoveries. The objective of lessons learned activities is to determine what went well, where the team can improve, and what action items need to be assigned based on the gaps or shortcomings observed during any given incident.
This is a critical step in the incident response life cycle that is often skipped, unless the activity is requested by leadership. Common factors that drive the decision to forego this step include, but are not limited to:
- time and resource constraints
- coordination and scheduling conflicts
- misconception that the activity has little to no value
- history of poor cooperation across teams
Faced with these challenges, cybersecurity organizations often weigh the long-term benefits of a proper review exercise against the short-term benefit of transitioning sooner to the next incident or project. This decision directly impacts and limits an organization’s ability to grow and mature beyond simple "firefighting" activities.
The impact to the enterprise varies based on culture and current maturity, but all cybersecurity organizations miss out on important opportunities for knowledge transfer and experience sharing when lessons learned activities are reduced or eliminated. The lessons learned phase serves as a catalyst for operational adjustments and enterprise initiatives required to ensure the cybersecurity function can accommodate shifts in corporate culture, adversary tactics, techniques, procedures, and gaps in knowledge or toolset functionality.
A cybersecurity team can alleviate some of the pressures and apprehension involved in conducting lessons learned activities by utilizing an industry standard framework. Identifying and selecting a framework that suits the needs of the team is an important step.
Utilize a Response Framework to Promote Structure
Routine, consistent use of lessons learned exercises is a hallmark of cybersecurity maturity and an indicator of industry-leading security operations centers (SOC) dedicated to shaping operations for the long term. Such organizations reflect the step's importance by providing a dedicated time frame for the security team to perform introspection, share observations regarding what went well, and decide what areas the team should focus on improving. It is no mistake that the lessons learned process is given its own phase within industry-recognized cybersecurity frameworks such as the National Institute of Standards and Technology’s (NIST) Incident Response Life Cycle and the SysAdmin, Audit, Network, and Security (SANS) Institute’s Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned (PICERL) framework. In both examples, the lessons learned process is a final phase within the incident response life cycle.
Figure 1 Six phases of PICERL framework
Using the PICERL framework as an example, a cybersecurity team may work through the first five phases to the letter. However, as soon as recovery is complete, the team may feel pressured to skip the final phase and wrap up the ticket or engagement in favor of moving on to the next “fire.” Given that lessons learned feeds into preparation, as shown in Figure 1, organizations stand to lose valuable insights for combating future threats. By strictly following the framework, security teams are encouraged to follow through with the entire life cycle, including the lessons learned phase. Leveraging the framework also provides incident knowledge and enrichment opportunities the security team can use in future incidents.
Use Lessons Learned to Mature Your Cyber Organization
Learning occurs throughout the entire incident life cycle. As the team traverses each phase of an incident, team members should think about and note successes and failures of the actions they individually perform. However, the actual lessons learned phase is less about individuals learning on their own and more about all team members collectively sharing their experiences and perspectives on notable events and issues encountered during the incident. Discussing and addressing both mistakes and effective solutions within the team, at the junior analyst level through upper management, promotes knowledge transfer and reinforces proper and effective processes and procedures when responding to future incidents.
Allocating time to properly perform the lessons learned phase is a tried and true marker of leadership expertise, experience, and maturity throughout all levels of a cybersecurity organization. Organizations that effectively execute the lessons learned activities experience increased team cohesion and collaboration, less confusion and uncertainty, and fewer repeated mistakes. These attributes delineate nascent cybersecurity organizations from mature ones.