Preparing for Incident Response Can Save Organizations up to $1.23M During a Breach*
In his presentation to BlueHat Seattle, John-Luke Peck, D-CISO and Senior Security Consultant at Critical Insight, reviews in hindsight and retrospect several recentincident responseengagements performed recently by Critical Insight's Incident Response team. All presented examples and incidents described in this presentation have been de-identified to maintain and protect privacy and operational security.
As a prediction for 2020, John-Luke describes the importance of remote DFIR services and what organizations need to do prepare their environments forremote digital forensics and virtual incident response. An important note is that this presentation was made in late 2019 - and John-Luke predicts at20:20that the time for remote DFIR has arrived.
Remote Digital Forensics and Incident Response (DFIR) Report Requirements
The "autopsies" that John-Luke covers are enlightening. From considering what went well to what did not go well during the various engagements, he highlights the particular data, services, and support available from Microsoft & Office 365, and AzureAD. Furthermore, he covers how they were and were not able to be leveraged during the various engagements, which were performed virtually.
Data requirements were also discussed, and what organizations need to do to prepare for virtual incident response and digital forensics investigations conducted remotely. John-Luke explains how he dealt with data that was and wasn't there, including:
Necessary data was not available because the client had not taken, or were unaware of the need to take, steps to enable the collection of the data
The data & services available were successfully used during response efforts
Lessons Learned from Office 365, AzureAD, and Incident Response