As an Incident Response Principal, we respond to our clients’ incidents and we see a pattern. I have done many a presentation from a Blue Team perspective recommending you do some things, so let’s take a look at what we regularly see that our clients fail at, that either caused the event, made it worse, or why it went undetected. This is a teaching moment that I want to share with you to take back to your organization to prepare for an inevitable event.
I talk about the 3 Cs’ Configuration, Coverage, and Completeness and this helps us to understand what kind of process that is needed to address the whole of the problem and how these map to your security program and why organizations suffer so badly during a security event.
How is your logging? Is it enabled? Configured to some best practice? (hopefully better than an industry standard that is seriously lacking). Have you enabled some critical logs that by default are NOT enabled? Do you have a way to run a command, script, or a favorite tool across one or all your systems and retrieve the results? What is that we Incident Responders need and use to investigate an incident and what are the typical recommendations we make to all our clients that they fail to do? Sadly a lot of what we need, you already have and is free, nothing to buy, just process and procedural improvements.
This talk will describe these things and how to prepare, and be PREPARED to do incident Response, or if you hire an outside firm, what they want and need too.
The attendee can take the information from this talk and immediately start improving their environment to prepare for the inevitable, an incident.