DeepSec 2018 Talk: Security Response Survival Skills – Benjamin Ridgway
Jarred awake by your ringing phone, bloodshot eyes groggily focus on a clock reading 3:00 AM. A weak “Hello?” barely escapes your lips before a colleague frantically relays the happenings of the evening. As the story unfolds, you start to piece together details leading you to one undeniable fact: Something has gone horribly wrong…
Despite the many talks addressing the technical mechanisms of security incident response (from the deep forensic know-how to developing world-class tools) the one aspect of IR that has been consistently overlooked is the human element. Not every incident requires forensic tooling or state of the art intrusion detection systems, yet every incident involves coordinated activity of people with differing personalities, outlooks, and emotional backgrounds. Often these people are scared, angry, or otherwise emotionally impaired.
Drawing from years of real-word experience, hundreds of incidents worked by Microsoft Security Response Center, and the many lessons learned from some of the greats in IR around the company this talk will delve into:
- Human psychological response to stressful and/or dangerous situations
- Strategies for effectively managing human factors during a crisis
- Polices and structures that set up incident response teams for success
- Tools for building a healthy and happy incident response team
Effectively navigating the human element is a critical skill for anybody who may be called upon to manage or participate in a security incident. This talk is geared toward occasional or full-time responders who are looking for practical human-management skills.
It is now 3:05AM. Everything has gone horribly wrong. A room full of panicked engineers await. It is your time to sink or swim. Good luck.
But wait! Before you put on your scuba gear, you should probably read on. We asked Benjamin a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- The human mind still possesses all of the same wiring that helped our simian ancestors flee danger. Our reaction to perceived danger is often deeply rooted in this ancestral circuity.
- Studies have shown that lack of sleep impairs judgement as much as alcohol.
- People can subconsciously pick up on signs that their leader is stressed out. This causes an autonomic reaction and causes them to become stressed too.
- People fall back to learned, repetitive cycles when confronted with fatigue or stress. Security responders should prevent mistakes by drilling and practicing often.
- Your executives are people too. They may be just as, if not more, scared during a security incident as the rest of the team.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I was sitting in a meeting with executive leadership walking through a response plan. I realized that everything we were talking about was based on technology. Nobody was talking about its impact on humans. Everyone there was an individual with their own fears and skills. Security responders rarely account for people.
Why do you think this is an important topic?
Often the most critical part of successfully managing a security crisis is the rational and efficient cooperation of people. These people are often dealing with quite natural emotional responses to danger. Good security incident managers recognize this and make it a core part of their work.
Is there something you want everybody to know – some good advice for our readers maybe?
Recognize that humans are human. This means everyone, from the entry level analysts all the way up to your CEO. Security incidents can cause feelings of anger, violation, or fear. People on the team may be fatigued during times where they need to be at their best. Be aware of the state of your team.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
As more companies adopt dev-ops, crisis issues will involve more people who are unaccustomed to working through tense security problems. Security professionals, especially those, whose job it is to keep the situation on track, will find themselves confronting human aspects more often.
Ben Ridgway has been involved in a wide variety of projects during his security career. He started with a position at NASA looking for vulnerabilities in spacecraft control systems. Following that, he took a job with the MITRE Corporation as part of a team which consulted for the US Government. This work involved everything from pen testing high assurance systems to building out Cyber Security Operations Centers. He was hired by Microsoft in 2011 to be one of the original security engineers on Microsoft’s Azure cloud. He helped founding the security incident response team for Microsoft Azure. Over time that scope has grown across multiple online service, cloud, and machine learning technologies. Today he is the lead of the Microsoft Security Response Center – Trust and Strategy Team. This team is responsible for managing critical security incidents within Microsoft’s cloud and artificial intelligence services while preparing for the incidents of tomorrow.