Shifts Occur: Methods to Rock the SOC Handoff Course of With the SEAT-SWAP Technique thumbnail

[Chris Crowley is a cybersecurity instructor and industry analyst. This is Part 2 of his series of easy-to-use “best practice” documents – a veritable Swiss Army Knife of security operations assets on topics ranging from email writing to shift handoffs to training –  created to help SOC professionals save time on common housekeeping tasks. You can read Part 1 here.]

Safety operations facilities exist to supply sustained monitoring and response capabilities. Effectively-performed shift handoffs are part of that operational technique. 

It’s no shock that longer-duration handoffs will normally ship more practical switch of information. However you aren’t required to dedicate an extended period of time to transition from one workers to the following. 

This submit covers the handoff of knowledge throughout three classes: important, optimum and thorough.

SEAT-SWAP is a contrived acronym, however let’s use it that can assist you bear in mind and to construction the essential gadgets of shift handoff: Workers, Clarification, Consciousness and Transition (SEAT) Scenario, Written, Applicable, Persistent (SWAP).



First, workers, in fact, have to take part in a shift transition. This implies they’re “current” and obtainable to do the handoff. If the time allotted to handoff from one workers member to a different is in a roundabout way compromised, then the handoff doesn’t work effectively. 

Take into consideration your private routine when arriving at work. Are you able to obtain a bunch of knowledge upon arrival? If not, you’re not the one one. Scheduling a shift-handoff dialogue within the first half-hour of shift begin is sub-optimal.

  • Important: Two folks switch data immediately.
  • Optimum: A number of pairs of workers with dove-tailed shift schedules take part within the transition.
  • Thorough: Geographical or shift-based group transfers.



What’s mentioned within the handoff is essential. Clarify the lively conditions, the considerations, the work that has been executed thus far to deal with gadgets and the proposed work to proceed these efforts. 

There are instruments that can assist with this (for instance, Slack plugins, checklists & types, SOAR instruments and devoted handoff instruments) however what’s essential is that there’s a real trade of knowledge amongst  the events. Too typically, the handoff turns into routine servicing the almighty guidelines, and never real explanations of what issues and why it issues.

  • Important: Causes of the conditions requiring consideration.
  • Optimum: Situational causes and actions taken thus far.
  • Thorough: Situational causes, actions taken and proposed subsequent actions to take.



Particulars should be defined when there’s a particular drawback. However you also needs to share info that might assist keep away from an issue from occurring. Situational consciousness is meant to information future actions and selections by bringing points to visibility in order that they’re thought of. In safety, this typically takes the type of menace intelligence when talking about looming threats exterior of the setting. But it surely also needs to contain briefings associated to suboptimal operations or situations within the data methods if these points are identified.

  • Important: Identified IT operational deficiencies or points. Highest-priority menace intelligence bulletins.
  • Optimum: Dashboard capturing operational deficiencies in setting, recorded briefing (about 5 minutes) discussing these things. Menace Intel transient on high-priority points threatening the setting (about 5 minutes) with reference sources obtainable for employees to assessment.
  • Thorough: Ongoing real-time integration of IT operational dashboards into SOC visibility for situational consciousness. Ongoing actual time integration of menace intelligence supplies into the SIEM/SOAR/ visibility instruments, in addition to related menace intelligence merchandise ready for SOC workers situational consciousness and govt/constituent briefings recorded for consumption on an as-needed foundation.



The continuation of motion by the SOC ought to be seamless to its constituents. To perform this, the SOC should not rely upon the capabilities of anybody particular person to ship constant service. This will depend on a number of components of growth of requirements, procedures, coaching, and knowledge sharing upfront of the handoff itself. The shift change is more practical if workers are already training continuity and constant operational excellence.

If this isn’t the case, the shift change actions received’t repair that. In actual fact, the shift change may be a reason behind frustration as a result of inconsistencies. Repair the inconsistency drawback by way of one other mechanism, not the shift-change assembly. If inconsistencies exist, nonetheless, a shift change might have to be leveraged to shortly cross-train workers on acceptable requirements, procedures and knowledge dissemination.

  • Important: In-flight activity handoff.
  • Optimum: Ticket reassignment for duties in flight and motion briefing between present activity proprietor and new activity proprietor.
  • Thorough: Institute a system (akin to ticketing, SOAR or one thing else) that robotically re-queues acceptable duties for work levelling between outgoing and incoming workers sources and assigns briefing actions.

Closing steerage (SWAP)

To wrap up, let’s flip to the SWAP a part of the acronym as a means encapsulate your mission with regards to shift handovers.


Focus on the scenario that exists. 


This ought to be in a written kind, in addition to a recorded briefing that may be reviewed later. (Some folks choose to learn it, some folks choose to pay attention and a few folks choose to see it. This could change relying on the subject and your group’s consideration bandwidth. Put together all three on a regular basis.)


This communication must be correct, but additionally exhibiting a way of urgency. (These things are primarily reasonable, excessive, or pressing gadgets. Different communication autos ought to exist for lower-priority gadgets.)


Do that work persistently. (This isn’t one thing that may be executed generally or as wanted. That is sturdy and chronic. The shift change all the time reviews, even when there’s a “nothing to report” assertion.)

For much more assist shifting past the every day cyber grind and concentrating on what issues most – constructing resiliency and investigating and remediating actual threats, quick – go to to obtain our free group version and begin SOAR’ing as we speak.

Join our publication and be a part of 1000’s of your friends who obtain month-to-month safety operations suggestions and tips.

By Admin

Leave a Reply

Your email address will not be published. Required fields are marked *