Description: The talk begins by first introducing the dilemmas facing modern-day organizations, covering 1. the scalability challenge (the intrinsic imbalance between attackers and defenders -- e.g. it takes almost no cost to generate large amounts of obfuscated or even manually modified malware payloads but exponentially more expensive to scale-up the defense against it, 2. traditional IR / forensics capabilities are not focused on scalability -- e.g. takes half a day just to image hard drives and a day to come up with a forensic report, and 3. the fatal weakness in common HR model -- e.g. incompetent first tier IR / forensic staffs neglected to collect vital evidence in time or neglected to notice potent exploitations (e.g. "just another fake AV, let's get the box rebuilt"). All too often, misguided management decisions drive CSIRTs to self-destruction -- management is frustrated at not achieving results commensurate with the resources thrown into the problem, and analysts get burnt out fighting an unwinnable war.
I then take a step back and reorientate the situation as an economic problem. With the use of strategic models I will highlight places where mitigations can start winning. I then present my vision of an effective CSIRT -- all the way from strategic direction, organization structure, the right level of empowerment, to the right metrics and mitigation principles.
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.