Hundreds of incidents, what can we share?

Presented at DEF CON 30 (2022), Aug. 12, 2022, 10:35 a.m. (50 minutes)

There are two types of organizations, those that were breached and those that are not ware yet... For most organizations, it is easier to buy blinky lightboxes and tick various compliance boxes (ISO27001 looking at you!) than improve their security posture. We repeatedly see in the field that the vast majority of incidents could have been contained or even prevented if the effort had been spent in the right place. We have some good statistics on what works, what can help, and what is generally a waste of effort with hundreds of incidents handled. Most of the organizations that we see get breached are not Fortune 500 companies; they don't have colossal security budgets - but they do have a dedicated team that is doing their best to make a difference. In this talk, we will cover some of our experience in what works in the real world and how you can focus your efforts on getting the correct data to respond and close incidents fast. Invariably, the goal is not to have 100% security (no one will fund that!) but to get the business back on its feet ASAP and resume business operations. Planning for that takes dedication and focus - but it can be done!  we will focus in our talk on the pillars that would make your incident response plan work: Getting the right team in place Communication! Data collection, access to systems Access to forensics and response tools when you need them This talk will outline common gaps and compare examples of these two types of organizations from actual incidents to highlight the real-life implications of lack of preparation, which affects the outcome of an incident.

Presenters:

  • Guy Barnhart-Magen
    With nearly 25 years of experience in the cyber-security industry, Guy held various positions in both corporates and startups. In his role as the CTO for the Cyber crisis management firm Profero his focus is making incident response fast and scalable, harnessing the latest technologies and a cloud native approach. Most recently, he led Intel’s Predictive Threat Analysis group who focused on the security of machine learning systems and trusted execution environments. At Intel, he defined the global AI security strategy and roadmap. He spoke at dozens of events on the research he and the group have done on Security for AI systems and published several whitepapers on the subject. Guy is the BSidesTLV chairman and CTF lead, a Public speaker in well known global security events (SAS, t2, 44CON, BSidesLV, and several DefCon villages to name a few), and the recipient of the Cisco “black belt” security ninja honor – Cisco’s highest cybersecurity advocate rank. He started as a software developer for several security startups and later spent eight years in the IDF. After completing his degrees in Electrical Engineering and Applied Mathematics, he focused on security research, in real-world applications. He joined NDS (later acquired by Cisco). He led the Anti-Hacking, Cryptography, and Supply Chain Security Groups (~25 people in USA and Israel).
  • Brenton Morris
    Sr Incident Responder at Profero. Brenton leads Incident Response engagements on a daily basis. From sophisticated cloud attackers to ransomware events. Brenton has a unique set of combined security research and devoper experience, allowing him to resolve many cyber-attacks while fully understanding the impact on production systems.

Similar Presentations: