I’ve attended one or two talks in the past on Gamification and honestly never thought much of it, until I saw it in action at a vendor booth at RSA. What this vendor was doing, was using gamification as a unique tool in helping to mold end users by rewarding- or penalizing- their actions when it came to reporting phishes to the incident response team. While seemingly basic in its nascent implementation, it is designed to be elegantly simple. Users were scored and ranked amongst all other users and this information was used both as an additional level of detection (e.g. phishes reported from higher ranked users rise above others) as well as reinforcement to the end-user in the form of ranking (e.g. “You are in the top 5% of users when it comes to spotting phishes!”).

For those not familiar with Gamification, Wikipedia (the foremost authority on everything) defines it as: the application of typical elements of game playing (e.g., point scoring, competition with others, rules of play) to other areas of activity.

Also at RSA, there was a talk given by Whirlpool & Morphick Security on Gamification in the SOC. Unfortunately I was speaking during this same slot and could not attend, though the slides can be found here. I reached out to Kody McLaughlin (@InfoMoogle) for deeper insight and he sent me the commentary below, which was really insightful.

“Our gamification program is ninja themed. The analysts begin at the level of ninja trainee when they enter the company. The progress through the 5 levels and eventually become ninja masters. Each level presents a unique set of challenges that the ninja must complete before moving on. Our program is designed to promote skill growth and knowledge sharing, so the tasks are centered around documenting cool tips and tricks on our analyst tools and documenting our lessons learned for when new ninjas come onto the team.

Rewards are given at each new level. They start small with ninja trainees getting to create a lego avatar when they level up to apprentice and the rewards increase as rank increases. Masters get a challenge coin. In between we have fun ninja-themed rewards like shuriken push-pins, ninja lapel pins, etc.

The team also has a table in the front of the SOC where they are building out their own dojo using legos. The ninjas earn legos by completing special contracts that go above and beyond the skills required to progress in the normal game. These tasks include building cross-team skills (an analyst who is becoming a guru in cyber intelligence for example) or for building a reputation in the cyber community by attending conferences or working groups, publishing findings, maintaining blogs, and obtaining certifications.”

Based on his information and my own research and experience, I also felt like taking a stab at some ideas on how to approach Gamifying a SOC/IRT. Back in 2013 when we were building out the GE Security Operations Center (we had operated extremely well for years without one and were essentially looking to scale to 24×7), we had built an in-house training program spearheaded by infamous incident responders Jack Crook (@jackcr) & Kyle Oetken (@KyleOetken), among others. As part of this training program we built in qualitative and quantitative techniques we used when evaluating SOC analysts during the build out. By the time an analysts interview to officially join the team came around day 90, we were armed with considerable insight into how they were actually performing, as opposed to a typical, “I like that individual” commentary to go on. In some cases, high marks made up for deficiencies in other areas.

What we didn’t do was continue to track analyst effectiveness after training. However, why couldn’t we utilize gamification to better analyze and reward analyst behavior? Furthermore, it could provide a means to rate analysts against each other, similar to some of the online games such as Call of Duty currently do with their leaderboards and ranking systems. In COD, some individuals focus on Kill/Death ratio while others may focus on Objective stats for example. I always tend to focus on the objective- and my team knows that they can count on me to come through there- while I also know that I can count on my team to cover me because they are focused on their K/D ratio. Bringing this back to a SOC/IRT, gamification could provide a better avenue of identifying who the strong players are in many different aspects, such as phishing identification, intel analysis, timeliness in alert resolution, and incident identification, to name a few. In aggregate, this is what makes up a good team, as each person has their specialty and strength of where they can contribute.

Looking specifically at a traditional SOC, charged with reviewing alerts and escalating them as appropriate, there are many different things that could be considered ripe for gamification, depending on what data is tracked. A couple of my ideas and possible achievements are mentioned:

Number of Alerts Responded To Bronze, Silver, Gold, Platinum tiers?
Average Alert Response Time “Clock Watcher” metric?
Alerts Escalated Correctly “Don’t Cry Wolf” metric or tier?
Incidents Discovered by Severity If Sevs are numerical- a single average metric?
Number of New Indicators Saved “Harvest” tiers?
Incidents “that Matter” Discovered “Big Game Hunter” Achievement Badges

Could you perhaps also tie awards and bonuses to these as well? Reaching a new tier or earning a specific badge- especially the Big Game Hunter badge- could provide leadership the opportunity to have specific awards in place that the analysts could earn. This could help encourage specific behaviors, especially as some work in the SOC, such as clearing out alerts, can be very tedious.

While Gamification is a bit of a different animal, for years I have stated that metrics should only be tracked if they are used to drive behaviors and assist in decision-making. “Volumetrics” or “Vanity Metrics” as I contend, such as ‘how many alerts do I get per month’ or ‘number of incidents opened’ don’t truly indicate anything and aren’t really useful for changing behaviors or assisting in decision-making. Could Gamification change that? Perhaps. With that said, make sure to check out my previous post on metrics.

Finally, aren’t we tired of the antiquated ways of managing teams and promoting employees? Why not leverage data and insight such as this to better identify and promote deserving individuals as opposed to the tried and failed methods of who the boss likes and/or thinks is more deserving. Basing decisions on data as opposed to conjecture and feelings could go a long way to build a stronger team and identify those players that are the backbone of the team.

All things considered, I think Gamification can add some very interesting aspects to a mature SOC/IRT. Be it identifying employee strengths and weaknesses, having a fun method to reward employees for their efforts, using the data as a way to evaluate employees, or for just good old bragging rights and morale, gamification has a lot to offer if implemented properly. Are you using gamification? I’d appreciate hearing your thoughts and feedback, so please leave a comment or reach out to me on Twitter @SeanAMason. Thanks for reading.