Most security operations environments that I have had the luck of seeing, look impressive. They have dashboards everywhere, there are alerts firing and their SIEM is lit up like it’s doing something meaningful. From anyone on the outside, it reads as a mature, well-instrumented program. From the inside…if you’re really honest about it, is a […]
When Security Architecture Depends on Tribal Knowledge
There is a moment in almost every organization when someone says a phrase that sounds reassuring on the surface but I hope should make security leaders just a little uncomfortable: “Don’t worry, Mike knows how that works.” (no real Mike’s are used in today’s example). Mike I’m sure is a great guy, he’s been with […]
The Silent Risk of Inconsistent Time Synchronization
If you’ve been in any level of incident response, there is a moment in the conversation when someone asks a deceptively simple question: “When did this start?” It sounds like a straightforward request…after all, security teams collect logs, alerts, and telemetry from systems across the organization. We have dashboards, SIEMs and sometimes monitoring platforms that […]
Incident Response Without Situational Awareness Is Theater
I recently had a discussion with a few colleagues about incident response. It started the way these conversations often do, with someone asking what “good” incident response really looks like and some of the incidents that I’ve worked on. That question sounds simple, but it is not. Before long, we were debating playbooks, tabletop exercises, […]
Recent Comments