Aug 15, 2021
Recent vulnerabilities got Bryan thinking about incident response.
Are organizations speedy enough to keep up?
If the spate of vulns continue, what can we do to ensure we are dealing with the most important issues?
How do we communicate those issues to management?
How should we handle the workload?
Testing of your IR costs money, do you have budget for that? (verodin, red-team)
Restoring backups, extra VPC or azure environment
You have to minimize issues, right? But is there a good way of doing that?
Simplify your environment?
Spend time working on the CIS 20? You gotta plan for that and show value vs effort.
Incident response is an ever changing landscape.
What is the goal of IR?
Identify affected systems
Recover gracefully and quickly?
Does your environment allow for quick recovery?
What does ‘return to normal’ look like?
The goal of business
Incidents should just be considered part of doing business (risks)
The more popular, the more likely the attack
Incident timeframe = criteria for getting back to normal.
PICERL is a cycle, and one of continual improvement. Incident response is not ‘one and done’.