Cisco for a long time engaged in this topic and besides of decisions for SOC we offer SOC outsourcing services (but not in Russia), as well as services for designing SOC from scratch or auditing an already built SOC for compliance with international best practices. And against the backdrop of our experience projected onto Russian reality, we decided to add a gamification element for SOC Forum participants and developed the Hungarian crossword “Feel like an SOC analyst!” The main goal of our intellectual game participants was to notice nonrandom character sequences in an almost random stream of characters. The winner was to receive a high-tech prize – an Apple Watch.
What characterizes the work of an SOC analyst who spends a long time behind the console of information security monitoring tools? The speed of the reaction is certainly important, but mindfulness as well as critical thinking, which allows you to cut off false positives from real information security incidents, are just as important. These are the skills we tested as part of our intellectual game.
The participants’ task was to see Russian words (horizontally and vertically) related to SOC in a stream of random characters. The first participants fell away as a result of their carelessness, because they did not understand how many words were made by us and some of the sent answers contained only one word found! Fortunately, there were few such participants. Most immediately noticed a note to the crossword puzzle, which said that the number of hidden words is equal to the answer to the main question of life, the universe and everything else, which, as you know, is 42. That is how many words were made in the crossword.
But this number drove many “SOC analysts” into a trap, as they correctly found the first 3-4 dozen words, but began to pass on the last five. Therefore, one of the participants began to simply search for at least some meaningful words, which at the same time had nothing to do with the SOC topic. So the words “IVTs”, “BUREAU”, “PAUK”, “UK”, “ROI”, “TOR”, “STEK”, “VAF”, “FCS”, “ROK”, “SPAS” and “were found” etc. To be honest, I myself was surprised how creatively the participants approached the task and what words and abbreviations they found in the crossword puzzle. True, they had a very indirect relation to the topic of SOC.
Another part of the participants, also not finding all the “encrypted” words, began to add trickery to the list specially left in the crossword puzzle. So in the responses appeared “SYCHOV”, “LUTIKOFF”, “ACHALIN” and “UKATSKY”. If the first option is explainable, although incorrect (after all, the surname correctly sounds like “Sychev”), the second option reminds us of the wave of Russian emigrants who settled around the world and changed the ending of their family names, then the third and fourth answers option, I could not understand 🙂
Another observation made by analyzing the answers was that long words were much faster than short ones. And if the acronym “FSB” was seen by about half of the participants, then the “FID” and “HASH” could find no more than 10% of the “players”. It is interesting that not everyone was able to see such encrypted words as “NCCSC”, “RULE”, “HYPOTHESIS”, “FINCERT”, “PLATFORM” and a number of others related to the SOC topic.
In conclusion, I want to note that our intellectual game aroused interest and it stood out quite well against the background of traditional methods of promotion at information security events. I think that we will repeat something similar at our upcoming cybersecurity events. In the meantime, I want to give a screenshot of the correctly completed questionnaire of the participant of the intellectual game “Feel yourself an SOC Analyst”.
PS. If you are interested in what Cisco offers in the field of SOC, then I will give a screenshot of the first page of the leaflet that we distributed at the SOC Forum.