The Enlightening

Kicking Off a Next Generation Incident Response Test

Awareness, for Techs

Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

people at table during a meeting looking to be strategizing about somethingThis afternoon, we kick-off another “Blue Team Exercise,” for another early adopter Client.  There is an excitement in the air.   We all know that, yet again, infotex is blazing a trail that the also-rans will clean-up, turn into a product, and eventually develop a buzzword for.   They will get rich, (or at least try to get rich).  But we will love the development.  The excitement of being at the cusp of the next generation.  The fact that we’ve been doing this for 23 years.

When I first started infotex , I would tell people I am a “geek wannabe.”  Back then – the turn of the century – the word “geek” was just starting to get mainstream popularity.  Businesses were wanting to attract geeks.

The “geek wannabe” term was used by those of us who felt like we knew just enough to be dangerous.   In my case, I was a bit dangerous… until we decided to focus on Information Security, and I found I had a talent for helping non-technical people understand what geeks were actually saying.  

The ability came naturally to me, but I am now realizing it is not that easy.   Most technical people “freeze-up” when they try to explain all the moving parts of a particular technical issue.   For one, they don’t know what we don’t know.   For two, because of the first, they’re not sure which of the moving parts we need to understand.

There really is an art to it.  You have to watch the eyes and know what the precursor of “glazed over” looks like.   It takes practice to see – actually, it might be more of a hearing than a seeing – dullness arise in the audience.

This art – we call it escalation when we’re all in a panic – is the last of the exercises we put our Clients through, when we conduct a “Blue Team Exercise.”  The buzzword people are starting to preach purple teaming, which is the closest generic test product to what we do when we facilitate a blue team exercise.   But what we are doing is not purple teaming – many ask me to define purple teaming and there are as many definitions as there are people talking about it. But we have a defined process mirroring FFIEC guidance.   We are exercising detection, containment, and escalation. 

There’s actually seven different steps to our process now.  This is so new. I do not want to reveal them in a blog post.   But our Clients are loving it – please reach out to Nate if you consider yourself an early adopter of strong security controls.

The most recent report I read on the average time it takes to discover an incident on a network cited good news.   The period fell – from 260 to 200 days.  I’ve read so many of these reports. I’ll have to be honest with you I don’t feel like figuring out which report to cite and I’d like to remind you what George Carlin said about statistics.  (42 percent of them are made up). 

I mean, who is telling pollsters how many days it took to find an incident on their network?  But somehow this report decided that the average detection time was 200 days. 

200 days?   My goodness, every time I hear that number, I’m forced to say, “well, that’s better than 260”, I also say to myself “that surely isn’t community-based banks.”   That has to be coming from the “corporate-Joe environment.”   I even suspect people are guessing high numbers on their surveys so that they don’t look so bad in their corporate Joe committee meetings.   (Keep in mind, these are people who actually have time to fill out surveys – even those asking for information we shouldn’t be releasing.)

But I have been around long enough, and seen enough real incidents in real community banks, to know that three weeks (21 days) is devastating. 

No matter how long you’d be comfortable with, the notion raises one critical question. Do you know how long it will take your team to detect an advanced persistent threat on your network?

We are helping our Clients determine if they truly can spot the APT, and contain it, long before the 200-day average failure period that the also-rans seem to be comfortable with.    And as importantly, we will exercise the process of explaining all the moving parts to management.   The leader of the blue team (as well as other blue team members) will gain experience explaining extremely complex technical issues to management.  And they will practice a simple rhyme I’ve been using for decades:

“Enlighten, don’t frighten.”


Original article by Dan Hadaway CRISC CISA CISM. Founder and Information Architect, infotex

Dan’s New Leaf – a fun blog to inspire thought in  IT Governance.

Audit & Assessment

Policies & Procedure Development

Endpoint Detection and Response

Managed SIEM

Consulting Services

Network Monitoring

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Considerations – Why you should choose infotex, Inc. as your next MSOC!

Reasons why we should be considered! infotex provides a number of services that can be checked out if you click over to! We even made a movie with all the reasons why infotex...

The Magnificent Seven 2023

Seven Trends . . . …that small bank Information Security Officers face in 2023 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Welcom...