Every party must come to an end. This final reflection on the Party Crashers series marks the end of our journey with the steps necessary for your success. Revealed and explored over the course of the series is the reality that compromised credentials are a key attack vector.
Improving detection means improving how accounts are monitored. Rapid7 shared insights and ideas based on their experience building the UserInsight solution. Here are some reflections and steps to kickstart your momentum toward making the shift.
Mind the gap
Stepping back to review the entire series, the key finding deserves some attention: our actions do not yet match our intentions.
Each week, we asked about your experiences, shared insights, and answered questions. Ultimately, we struggle to measure our tools, automate our processes, and collect the context to share a better story. While our attitudes about breaches and the actions we need to take have shifted, our actions are not yet producing the results we need.
Take a moment to consider what this means for you. The good news is regardless of where you might be term in terms of bridging the gap between intention and action, you are not alone. Consider this more a gentle wake-up call that the pathway to improvement depends on shifting our mindsets and matching our actions.
Value your time
During the third conversation (and again in the final) I introduced a basic method to quickly calculate the value of an hour of your time: remove the last 3 digits from your annual salary and divide by 2. For example, someone earning $100,000 annual would divide 100 by 2 to conclude an hour of time is worth $50.
Knowing this is important when it comes to assessing how much time you invest in improving your situation and how much time is spent (and often wasted) on manual steps and urgent-but-unimportant tasks.
Capturing the steps and time involved in activities helps bring perspective to the cost involved. Knowing those costs allow you to clearly evaluate solutions in terms of return on the investment.
To get a handle on how you might benefit from a solution like UserInsight, consider the following to assess your time and build a personal plan of action.
Craft and follow a personal plan of action
The highlight of the conversation was the discussion on building a personal plan of action. Each part of the series shared key information, actionable insights, and other elements to set the stage for the shifts needed. Taken together, it is a powerful approach to lead change in your organization.
Yet the real change starts when you take the first step.
We focused on a series of steps that allow you to get a rolling start and build momentum. Below are the elements that stood out to me. Check out our conversation for more ideas, and contribute your own to the comments thread here.
Build your personal plan of action to follow three steps:
- Today (next 24 hours): what can you do today to get a sense of your current situation. These tend to be quick elements that need not be shared with others. This is where you start. Keep it simple with a meaningful action. For example:
- count the number of alerts you get in a day
- count the number of alerts that required investigation
- consider the steps and time involved in these two basic tasks to get a sense of how you spend time in any given day
- Over the next week: keep the momentum going, and consider some steps that allow you to get a better sense of what is needed. Activities during this week that caught my attention:
- time an incident investigation (or more) to see how long it really takes -- and compare the reality against the expectation
- engage a business colleague (ideally an influencer) in a discussion about the role of credential-based attacks -- and focus on listening to them work through and explain what an attacker could do
- find out what the business (and/or your boss) really cares about
- Over the next month: these are steps that take a bit longer to plan and execute; they are valuable in building the case necessary to make the investment and reap the benefits. The highlights:
- define/refine your incident response plan
- run a simulated attack (we talked about this a bit during the discussion)
- what did you see?
- what did you miss?
- what are you monitoring, and where are your gaps?
The idea behind the plan of action is simple: pick a series of tasks that help you get a handle on the situation, socialize the concepts with others, and ultimately build a case for action. Resist the urge to do it all.
Narrow down to a handful of steps that make sense and are easy for you to execute. Focus on progress over perfection and get the momentum going.
Close the gap between strategy and execution
Use the materials developed and shared as part of this journey to ease the process. Take time to consider your role and engage the help of others. Equally important, consider the benefit of asking others for help. A vendor that solved your problem is worth exploring; in this case, consider the experience and potential of Rapid7 to deliver dramatic benefit in a short period.
The real key is to do something that generates a measurable improvement.
In the process, close the gap between strategy and execution. Along the way, you'll reap the rewards of bringing detection and response into balance with prevention.