What does the worst day look like for incident responders? What keeps them up at night? And what makes their jobs more difficult? Cyber responders from IBM X-Force shared their first-hand accounts for what can turn a bad situation into a worst-case scenario when it comes to responding to a cybersecurity incident. Read on to hear their stories.
Laurance Dine, Global Partner, X-Force Incident Response, IBM Security
“My worst day would be a day where we don’t have enough people and there are catastrophic incidents happening globally. [We’d be] trying to help our clients and we couldn’t get enough people in front of them to actually help. I thought about that a lot, but what I do to combat that worst day thought process is I have friends in the industry. We have relationships with other organizations that if need be, we can call and pull them in if necessary.”
Meg West, Incident Response Consultant, X-Force, IBM Security
“We can all agree as incident responders, and even cybersecurity professionals, [that our job gets more difficult] when it comes to looking at our logs. Some key logs are missing so you can’t discern what happened, who did it, etc. That’s one of the most disappointing things to find out — [hearing,] ‘Oh, we were supposed to start logging that, but never enabled it… yeah, we were going to start doing that, we were going to make our EDR more proactive in blocking things,’ but they don’t. Not having the correct logs, not having the right tools enabled. When people don’t know who owns a specific system and the system gets compromised and everyone’s pointing fingers at each other saying, ‘We don’t know the criticality or sensitivity of the data, we can’t assess the impact of the incident because we don’t know who owns that system or who works on it.’ Those are all really common pitfalls that we see.”
John Dwyer, Head of Research, X-Force, IBM Security
“What keeps me up at night is sometimes I wonder if we haven’t learned our lesson over the last four years. I’ve always said we are presented with a once-in-a-lifetime opportunity due to the golden age of ransomware to fundamentally change how we do computing on a worldwide scale. We all have it right now to implement all the things to drastically reduce the risk to your organization across various threats. We’re starting to fall back into trying to buy a solution and not really learning from what has happened and architect new networks… That’s the stuff that really scares me is [wondering if ] we’re wasting this opportunity.”