Yaron Levi

CISO

Dolby Laboratories

Cyber Incident Response – Lessons Learned from Counterterrorism:  A new hope for cyber defenders.

For over 20 years, organizations struggle with Security Incident Response and ultimately fail!

We hear constantly about the challenges: Floods of data beyond human comprehension, Complex systems, Inadequate tools (SIEM anyone?), Shortage of skilled cyber defenders, etc.

Many point to AI as the next silver bullet that will solve all our problems, but will it?

The root cause of the issue is not a technology problem but rather an approach. As cyber defenders we should move from Reactive Incident Response to Proactive Cyber Counter actions as a means to defend forward.

In this talk, I will suggest a new defense approach that is based on counterterrorism practices.

Talk topics

• The challenges of incident response
  First we will start with exploring the challenge with common incident response practices including: complexity, data overload, not understanding the attackers’ perspective and why more visibility not only doesn’t help you but in fact hurts you.
• The fallacy of IOC visibility and why cyber defenders are burning out

We will discuss the deep seeded fear that all Cyber Defenders have, in the back of their mind, to be exposed as incompetent and how that fear combined with flood of alerts cause anxiety, burnout and depression.

• Learning from counterterrorism practices
  We will explore the shortcomings of a reactive Incident Response, and introduce the concept based on counterterrorism practices, to proactively identify and neutralize security threats, way before they escalate to an “incident”.
• Why cyber defenders need to think like the terrorists and not like the soldiers
  We will explore the different mindsets of attackers and defenders and will suggest a new approach for Cyber Defenders.
• Using proactive cyber actions to thwart attacks
  We will show how to use intelligence to threat model attacks, how to collect specific signals, how to purposefully analyze signals, and with due regard for risk versus benefit, how to take actions to thwart the attack.

Takeaways

Attendees of this talk will learn:

• Why our current detection and response best practices will never be effective and will only lead to more breaches and more burnout
• How to think like a counterterrorism officer instead of an incident responder
• Methods to thwart attacks
• Why there is a new hope to win this fight

We continue to fail to stop attacks, despite ever growing investments in people and technology. Security practitioners and cyber defenders are burning out and the overall industry suffer from a sense of defeat.

We can’t continue to do the same things and expect different results and as security practitioners who live on the front lines for many years, we would like to suggest a better way to the community.

We are frustrated to constantly hear all the “expert analysts” that tell you “You need more visibility and AI will solve all your problems” without even understanding that the problem is not a technology problem but a mindset. We are not ready to raise a white flag and surrender, we want to inspire the community to fight back.