Video: A Day in the Security Operations Center | Duration: 2701s | Summary: A Day in the Security Operations Center | Chapters: Welcome and Introduction (11.36s), SOC and CERT Roles (172.5s), Incident Response Collaboration (578.7850000000001s), Rapid Incident Response (1069.5099s), Incident Commander Role (1435.3s), Security Preparedness Essentials (1923.145s), Security Breach Stories (2063.18s), Law Enforcement Involvement (2210.315s), Preventing Security Incidents (2282.9601s), Cyber Insurance Role (2425.47s), Forensics Client Explained (2539.1498s), Conclusion and Wrap-up (2590.25s)
Transcript for "A Day in the Security Operations Center":
Alright. We're gonna get started here. So welcome, everyone, and thank you for joining us today. My name is Audi Bautista, executive vice president of security operations at Thrive, and I will be the moderator for today's webinar panel, A Day in the Security Operations Center. My promise to you today is that by the time we end the webinar, you'll have a clear understanding of how security operations teams work together to respond to security threats. So first, we're gonna talk through some housekeeping items. We're gonna keep the webinar to about forty five minutes, including some QA at the end. So we're gonna keep the QA tab open. It's gonna be open throughout the webinar. So if you do have some questions, go ahead and pop them in there. Then at the end of our panel, we'll go through as many questions as we possibly can. And if there's any questions we don't answer, we'll respond via email. And, also, we'll be providing a recording of today's webinar via email to everyone who registered today. So today, during the panel, we're going to be talking through the roles and responsibilities within the twenty four seven SOC. We're gonna walk through how our teams manage alerts and identify potential threats. We're gonna break down how incidents are detected and escalated across teams. We'll also discuss how communication and planning contribute to successful incident resolution. And, of course, we're gonna answer as many questions as we can at the very end. So first, let me introduce my panel. We have Chris Clark, who's the manager of our CERT team, which is short for our cybersecurity incident response team. Chris served as our lead incident responder for several years before stepping into leadership, and he helped build and grow the CERT team. And his team focuses on live incident response and digital forensics engagements. Jennifer Forte is an incident response analyst on the CERT team. She is GAAC certified forensics analyst, and she provides frontline expertise during major security incidents. And we have Olivia White, who's one of our SOC analyst managers. She's a highly experienced SOC analyst before earning her way into leadership, and she oversees the SOC team's daily work and make sure security alerts are handled the right way. So we're gonna get into a poll question to kick off. But just a reminder that we will have the QA box open. And, again, put any questions, and we'll get to as many as we possibly can at the very end. So first poll question. Do you have alarm service monitoring your home? Alright. I see some yeses. I see noes. Okay. Quite a few. Alright. Let's give it another couple of seconds to see some responses. I see more noes than yeses. I'll say I'm a bit bit bit surprised, I'll say. Alright. Alright. I see. Okay. So more noes than yes, the majority. So I'm gonna close-up the poll. And, let me close this out. And, why did I kick off talking about alarm systems for your homes? Because, just like an alarm system for your home, like, why why do you have an alarm system in your house? You have it to protect what's important to you, to protect your family, to protect your your important life savings, for example, if you might have some things saved in your house. And, and it's important because, let's say, when you're sleeping, you want something to be looking at, let's say, the, your front doors and your back doors and your windows. And in case someone comes in when you're sleeping or you're away, you want someone to be watching out for your for what's important to you. And when you think about alarm systems, you also think about what are you covering? Are you just protecting and, let's say, watching for the front door and the back door? Are you covering the windows? How much protection is enough, right, when you think about what's important to you? So, yeah, so and we also think about if you have an alarm system, are you more likely to keep your doors open because you think that, okay. Someone's out there monitoring for when someone opens the door when they're not supposed to. So it's okay if I leave it open, or do you leave it closed in addition to the, alarm system service who's watching over that? So, really, it it really we think about a home alarm system, and if you have one, you think about, okay, how much coverage is enough? And if you don't have an alarm system, that's okay too. But the reason why you probably don't have one is because you don't see a risk. You may live in an area where you you don't feel that people are gonna come in when you're not home or at nighttime. You you feel secure about your environment. So there's many reasons, and it really is dependent on how much your risk tolerant tolerance is and how much you want to protect what's important to you. So and, obviously, no judgment anyone who doesn't have an alarm system. Right? Again, it's it's really about how much, how much, importance you put into the protection and how far do you go. For example, when you have locks in your door, you might have one lock. You might have three locks. Why do people have three locks and a deadbolt? It's to make it harder for a a bad actor, a bad person to come into your house. If you make it harder for them on top of the monitoring, you make it harder for a back to to come into your environment to to to take what's important to you. So if you equate that to a security operation center, what are we doing when you have a security operation center? We're monitoring what's important to our customers, our our the digital assets of our customers. We're monitoring their firewalls. We're monitoring their endpoints, their laptops, their servers. We're monitoring for their identity. We're we're monitoring for what's important. And and the monitoring is one component, but what if something happened? Like, let's say, using the same, alarm system monitoring component, sometimes you're just monitoring for if someone comes in when they're not supposed to. But what if there's a fire in the house? House? But they monitor for that. So if there is a fire and you're 10,000 miles away, that alarm system can say, okay. Detecting a fire. Okay. We're gonna call the fire department. They're gonna come in to put out the fire. And, and and also, you might see when there's a fire, it's not just the firefighters. It's probably a fire chief saying, okay. You go there. You get the holes. You get the ladder. So that's what the cert team does. They come in If there is something that bad happens, they come in to put out the fire and try to mitigate the situation. So so with that said, let let now that related to the home alarm system scenario and what a security operation center is, so let's go to the panel to ask more about about the SOC and the SIR team. So, team, so let's let's take a second. Let's describe the different roles in the SOC and the SIR and walk us through the day to day responsibilities. And, Olivia, let's go first with the SOC. Absolutely. So the SOC, which stands for security operation center, is comprised of tier one analysts that handle the incoming cases, and they act as that first point of review, and they escalate as needed. We also have our senior tier one analysts that are that first point of escalation or that initial escalation point. Then we have the management over the management team, which oversees the daily operations, and we stop in as needed if an issue arises. For, the cert, when the security operations center typically is kind of our monitoring component of the of your alarm system for your company. So, essentially, what happens is if they once the SOC has detected something and they think it's a valid threat, they raise it with my team. From there, my team focuses on validating escalations, investigating incidents, and guiding clients through potential remediation steps. If we have a priority incident that similar to what Audi mentioned in our in his, his home alarm system analogy, we basically have an instant commander who will come on scene, take over the communications, and drive the, the the the, the incident to to resolution. He'll he'll be the main point of contact, and then we have our analyst to our frontline responders, you know, the firefighters, the police officers who come in and take a look at the incident. And they take the, a forensic investigation of the of the incident, develop timelines, collect evidence, and dig into systems to stop and contain the threat and help retain, contain the the client's environment and then help them through the remediation process as well as guiding decision steps for the future. We also have our supervisors for the with the team that keep everything on track. They make sure that we we we are not missing anything at the end of the day for handoffs, and they handle the the overall mentoring of the analyst and and managing things so they don't slip through the cracks the other night, and we're able to continue a twenty four seven operation. So we're able to provide instant response twenty four seven day. Alright. When when a potentially critical alert comes in, how do the different roles come together? Can you walk us through what collaboration looks like from the initial detection all the way to resolution? I can start with that one. So the SOC is really the first line of defense. We conduct the initial investigation, and we take those beginning remediation tasks for the situation. And we also act as the starting point for the client communication. And so after documenting all the steps taken as part of the investigation, handling those communications through phone call and email, the SOC analyst then escalate to the cert and also remain available to continue to to assess as the cert analyst needs. Oh, and I'll also add as far as the search is concerned, you know, we're we're an escalation point for the SOC team. So we're gonna be primarily tasked with taking a deeper dive and trying to determine what exactly happened to cause the incident. We wanna make sure that no other users are also or may become impacted by the current incident. So a good example of this would be a business email compromise. So typically, if you have an end user, they receive a strange email, they click on a malicious link, they input credentials, and suddenly their account is compromised. Oftentimes, this does happen because maybe there's a party more organization and there's an end user at that organization that is compromised. You're sending emails, so our end user here has no reason to not trust this email. And, if they could be sending it to even more users at the organizations, we wanna see who else is taking the email and try to limit exposure to this other users interacting with the email. Other things we do since we're looking at some of the alerts is, you know, we're looking for patterns, other indications of compromise. They may not be, you know, obvious right away. Over time, we start to notice there's certain types of Internet service providers or maybe there's a type of user agent that the product is using when they first log in to the compromised account. So we take that data and we actually share it with our security engineering team to help them develop future alerts for for triage. Olivia, when your team is triaging alerts, what are the signs that help you recognize that something could be more than just routine noise? And what are the factors that guide your team's decision to escalate it to the incident response team? It's really all about those indicators of compromise. You'll sometimes hear those called IOCs, and they can vary depending on the situation. But for a business email compromise situation, it might be something like a user logging in at the same time from two locations that are very far apart or sending out emails to all of their contacts, and those emails are just blanket, phishing emails. As well as if it's a ransomware situation, it might be that a malicious application was downloaded. And now that it's running, it's causing all of these different processes and services to run that way normally. And so, really, if you see one of those IOCs, that's an indication that the activity is suspicious. But we really look for multiple indicators of compromise as well and look through the past history of cases for a client to understand the expected activity for that organization. That being said, it's also very much the collaborative effort. While we have all of that data available, we're not there for the day to day operations of the client organization. So we'll often reach out to a point of contact as well to get confirmation on whether activity is suspicious or not. If it's very clearly malicious based on what we're seeing, we will take the steps to begin the remediation as we're having those communications as well. But at that point, if it's confirmed a true positive event, then the SOC immediately escalates to the survey. Alright. Great. Now this is a good time to roll out the next poll question, which I opened up early, and we already have some votes. Does your organization have a defined instant response plan? Alright. The options are yes. It's regularly tested. That's great to see that. Yes. But it hasn't been tested recently. I've seen that a lot. No. We're working on it. Alright. So so going back to, like, the same home example, the alarm system, if if, if there's gonna be a fire, do you think through an escape plan? Like, some places have, like, fire escape or are you gonna go to the back door? And my wife asked me all the time if there's an earthquake, where do we position ourselves? In the bathroom, under a, a door? You know, those kind of things. So it's about being prepared. And it's response plan. I I'm I'm happy to see that a lot of, a lot of yeses in the majority there, which means that the organizations are thinking about if something happens, what do we do during that circumstance? So I'm gonna get it closed that poll. Thank you for that. Awesome. So next question here. So how do the incident response team prepare for escalation from the SOC, and how does the team coordinate when responding to confirm critical security incidents? For the CERT side, we're always always monitoring for recent, escalation or also multitasking for current funds. So this is to require a lot of communication across the CERT to try to determine what resources we can allocate to the next incident, of course, to have that extra lead and kinda determine how critical that incident is as well. Chris, you're on mute. I'm sure you had a lot of nice words there, so they just gotta start over. Go for it. Building on what Jennifer said, when the security operations center escalates a case, the first thing they they we do is validate the case and figure out how serious it is. If it's critical, the security it's the commander will step in. That person will set the plan, keep the communication with the client, and and and establish clear communication leadership. From there, our analysts will also step in to do a live response, contain the threat, collect evidence, and figure out the impact. Once things are stable to work on we work on eradication and recovery plan so the client can go back online securely. At the end of that, though, the supervisors make sure the case is wrapped up properly, lessons are learned, and updates are made to our playbooks and detections. That way every incident not only gets resolved, but it also improves our response for other clients and an understanding for the future and help with detections. Alright. And, team, as you know, we have an incident response retainer service that thrives, which provides on demand security response services so we can contain and remove threats along with engineering assistance to rebuild and restore critical systems. Now part of the advantages of having the incident response retainer services, of course, you have the preplanning components, which include review of the customer's incident response plan. We also do review of the customer's backup and disaster recovery strategy. And both of these pieces, we document so that is readily available in the unfortunate event that the customer does activate the service and they do have a a security event. And the third important preplanning component of the retainer service is that we install a digital forensics. It's a response solution to all the customer endpoints so that in the again, unfortunately, event that there is a security incident, we'd be able to do a compromise assessment, which looks at the activity between the endpoints and devices in the customer environment so we can get to, let's say, mitigation and resolution and recovery in a much faster pace. So when a client with an incident response retainer reports a security incident, what does the activation process look like? And how do the pre installed tools and the preplanning help expedite the forensics analysis, the containment, then the eventual recovery that might be needed? I made sure to unmute myself this time. I'd personal I personally believe the value in the answer to response, Tanner, is that we have our tools pre deployed, and we set a preparation because of this deploy because of our deployed agents. And the, the the the predetermined access to the environment, we're able to establish connectivity to that environment fairly quickly. So if a threat, is raised with us by the client or the security operation center, we're able to effectively, go straight to work in that environment. For example, in a recent ransomware case, that preparation meant that we were collecting forensic evidence the moment that the threat was identified. We were able to build a timeline and contain the spread, and we didn't spend time waste or we didn't waste time deploying or negotiating our tools. They were back online that same weekend after being impacted on a Friday. We actually had them up before Sunday afternoon, and they were able to resume operations back on Monday. So that preparation makes a difference between fast, secure recovery and a long, painful disruption. Yeah. I have to absolutely add to that. I'll this one of our instant response retainer clients, recently experiencing ransomware. You know, this is a very advanced incident where it takes out businesses for days. So, you know, it could start with something as simple as this an, network compromise or a compromised account, and it will eventually grow to where for actors gonna be on there encrypting data, equiltrating data, and in a way that they can actually bring service offline completely. So the only way we can really help our clients recover from this is to try to determine the earliest signs of suspicious activity. So we're looking at what account was compromised first and when. So without having this kind of tool to be deployed, it's really difficult to get that data quickly. So, you know, we're able to find this information, help determine a good restore point for a critical server, which is typically how they recover. And the fact that we have this already available for us saves the client tons of time and ourselves tons of time. So it was it was an amazing one to have. I that's a great example, but I'd also like to add that I think recently, incidents we've been able to collect evidence, build up the initial timeline, even even to identify a threat actor before our first bridge call. That's let us move the investigation forward faster and give the client those insights quicker, which then help them expedite their decision making process based on their incident response plan to who they're gonna call it next or what they need for resources or or or what, legal implications they need to consider. Yeah. And I I've seen firsthand customers who have had the interresponse digital forensics solution already in place. I remember one specific incident where a customer had a security incident. We actually detected it from the alerting because, as I mentioned, some some retainer customers do not have our security solutions and vice versa. But in this case, it was a customer who had both our monitoring and the retainer service. When we were alerted, we took action, and we were able to immediately pull information. And by the time we were on the call with the customer, it wasn't about what do we do next. It was more about, here's what we know so far. And it really helped add value to the customer situation when when when that occurred. Like, those are much, not a great situation, but better conversations, which leads to faster resolution. So I'm gonna open up the next. Hey. On that too, just you you mentioned that we had a conversation about, what have we done what do we know so far? But we could also come on to the call and say, here's what we've done so far. It wasn't just about what we what we saw. It was it's what what have we already taken care of and what have we already contained for you that you got that before we even had the conversation. Absolutely. So I'm gonna open up the next poll question. So has your organization ever had a security incident or breach? Alright. I see some votes, some yes, some no. I will say sometimes you might be putting no, but it's probably a yes. You just don't know it. Because we've seen organizations that, let's say, on the management perspective, they might have suffered a security incident, whether it's minor or major. And perhaps based on their internal protocols and standards, they might not let the user community know that it occurred for whatever reason. And maybe they're just meeting their their their compliance requirements when it comes to reporting their issues. So if there is no requirements to report it, you may not even hear about a security incident occurring in the environment. So, I'm not surprised by the no, but but I bet it's probably the no's are probably more yeses. You just don't know it. And I'm not sure it's probably the right answer because, again, many times customers have security incidents and they just don't report it, or they just don't make it known to the user community that it occurred. Alright? So I'm gonna get it close to that poll. Thank you for contributing to that. One of the one of the things you brought up there on that point, Audi, is is you you mentioned that a lot of people don't know that they've had a security incident. Sometimes I've seen in situations where I've come into a ransomware incident, and I found that, the client had already been previously compromised by a previous ransomware actor. But that information may have exist preexisted the current leadership or IT staff that was there. So they didn't even know they had a ransomware event prior, to this. Or or the other side of it, when we onboard customers to the solution, you had an event. Did you know you had an event that happened six months ago? Yeah. I did. How do you know? Yeah. You know? Yeah. I love this conversate again, for obvious reasons. Not because I'm happy that something happened to the customer, but the fact that we have that level of visibility, it's amazing. So going go go into the next question. When there's a major security incident, how does the cert keep everyone coordinated so response stays clear and on track? I have to unmute again. I almost forgot. Okay. One of the thing one of the things that we do as a as a team is we again, I've I've raised it a couple times in the call, but, essentially, that incident commander is a key critical portion of, making the sure that the the the incident stays on track. Our incident commander is serving a service that direct contact for your for you. They're gonna work with you twenty four seven. You're gonna be have a pretty consistent individual that knows your case and is able to help you through that. You also have that experienced incident response team who has gone through this multiple time you know, many times, I think, last year. Not just ransomware, but we did over 400 something security incidents. The team is well versed in what steps they need to take and what actions are there. But that in state commander is gonna be your key portion on keeping things on track. He's going to help you kind of set priorities within your internal staff as well as, what we need to be focusing on and making sure that we don't have conflicting efforts within the security incident, and that individual is going to be a key critical portion to keeping your incident afloat. Yeah. Adding that that incident commander role was definitely very important to improve the maturity of our security program because before we had, of course, we have our incident response analysts who are working in the incident, doing the investigation, communicating internally, rounding up the troops, updating the customer. So we felt it was important to have a role specific just for that orchestration component so that they're not distracted by the by the, the groundwork that has to be done during an incident. They they the incident commander definitely works for the client. They they're gonna help you guide through things that maybe you haven't considered and keep those, and and and make and help you make good considerations and and and, and inform choices to to keeping things going. So it's a critical portion. I I apologize for interrupting and highlighting that again, but I think it's a it's a very important portion of keeping the the incident on track. No need to apologize. This is why we're here. So so I have one more poll question. I just wanna go ahead and open up to everyone. How much of your infrastructure is being monitored through EDR, NDR, monitoring software, other monitoring. Is it all the critical critical systems and endpoints? Is there some key systems only, minimal coverage, not sure? And it it it goes to the conversation of of what's important to you that you need to protect. And and and I will call back again to the home alarm system, example where you have an alarm system, you have coverage for your front door and your back door if somebody opens it, but do you have your windows covered? And you might think, okay. I have the First Floor windows. I have a monitor there so someone opens up because I'm not gonna do the Second Floor because no one will ever get to the Second Floor. But guess what? There's ladders. Someone can get to a ladder. If they really wanted to work hard to get into that into your home, they'll find a way. And and that's one way. So, again, it's it's it's about what's important to you. How much coverage do you think is enough? How much security do you think is enough? So, I see the majority of all critical systems and endpoints. That that's definitely promising. That that, that means that, whoever answered those questions are really taking their security serious and making sure they do have their coverage. But some organizations have a different risk tolerance, and they might just say, you know what? I just wanna monitor the key systems because the other part of the environment, maybe it's a dev environment. I don't care too much about it. But that's, again, up to the organization and their risk tolerance. So thank you for that. I'm gonna go ahead and close that poll. One of the things to consider in that situation, though, is that an ADR part is gonna be give you the best advantage by saturation. So if you don't have an ADR in your system, if you only deploy it to key systems, there is a there is a consideration that you you may not necessarily get enough insights from the rest of the network until it's, it it's too late. And the other it's the same thing as if you deploy, say, hey. You're gonna have a monitored smoke alarm system. I did fire alarm systems very early in my career. You go and you set up a fire alarm system, and they had to detect monoxide, in certain area of the room. And then you have somebody else for monitoring your, security system. If you have those disparate systems and, say, somebody they they trigger an alert for the monoxide, but they but they don't but the the security side of it doesn't know that something else is happening here. They could be locking doors or setting off alarms or calling the 911 and overwhelming everybody with information. So having these, a couple things I would like people to take away with is making sure that you have good saturation of your EDR solution, but also making sure that you don't have the spare monitoring systems and organizations, monitoring that. It needs to be a one, one unified system to get the best, reaction to to to an incident. Yeah. And and I'll use a real world example not related to your home alarm system. You may have endpoint protection on your devices, on your servers, your workstations, but let's say you're not covering your firewalls, perhaps there's command and control traffic that you're not able to monitor for. So there's a lack of visibility, if you don't have more coverage. So it's all about defense and depth and how much you wanna cover here. So, one final question we have for the team here. So, final question before we go to the general QA. Looking back at everything we discussed today from alert triage to incident response to coordination with the incident commander, what's one takeaway you'd like to leave us with? Chris Chris actually did give an answer. I'll give the opportunity for everyone else to answer. Yeah. I would say that we really appreciate you taking the time to learn more about the security department and its processes, and we hope that you gain valuable information today. Your dedication to being informed is vital in the current cybersecurity landscape because as we all know, it's constantly evolving and changing. And so the more informed that you can be, the better that collaboration can be between you and the cybersecurity teams. Yeah. Absolutely. And, you know, I wanted to add some from my end, you know, communication to me is so so incredibly important. It really helps instant response processes smoothly. So, you know, the cert and SOC are always working closely together to get as much information as we can to help our clients as quickly as we can. So we need to be able to get this information to determine if something's really minor or something serious as ransomware. So no detail is too small. We're always encouraging our team to communicate early and often with our clients, and we also encourage that same level of communication for our clients to have with their own end users because, you know, sometimes people are embarrassed. They click on something. They feel silly about it. But, honestly, it's so easy to get fooled and it's so easy to click on the wrong thing. So we always encourage lots of communication. That way, you can get help faster. Absolutely. Chris, Chris, did you wanna add anything else? I just wanna make sure. You always had some good times for us, so I wanna make sure. I know I already gave my one key takeaway, from the last, poll, but I I do wanna say that I'm I'm immensely proud of what Thrive is built in our security operations center and the cert and the mature capabilities we've built. But what I think sets us as, sets us apart from other organizations is how we seamlessly can move from monitoring to response and giving clients those insights when they matter most. We're not just reporting what happened. We're we're actually, showing the bigger picture of what led to it and what needs to change moving forward. And I think that every incident that we handle protects our clients in the moment that also strengthens our our us to make us smarter, stronger, and then and better suited to protect clients as we move forward. So that ongoing cycle, cycle of protection response and and remediation kind of builds out a a a a a better path for the security operations center to to help defend other customers who haven't been impacted yet. Yeah. Chris and and I I'm especially proud as well because, I've seen examples where we've done an investigation of a security incident. A customer has cyber insurance. They bring the third party, and we've already done the investigation or did some level of investigation. They see our findings. And on our investigation, they basically validate, say, yep. Nope. We're good. Nothing else to add. Best feeling in the world when that when that happens. So for for me, last thing to add to the today's webinar is, you know, how much security is enough to protect what's important to you. So it's all about making sure you have enough protection to protect what you need, having enough visibility into into what's important to you and and the ability to monitor for that and also being prepared for something that that could potentially happen. Do thoughts experiments, do tabletop exercises, not just with the with the technical people, also have it with your legal folks, your HR folks, and other people in case something has to grow beyond just just the business email compromise or an account compromise. It could lead to something bigger than that. And and be careful. I know I'm adding more than one, but, be careful not to put your environment at risk. Make sure you have the basics, MFA, multifactor authentication. It it's it's troubling to see these days that there are still organizations that don't enforce as much as they should. And, I'll use a real world example, not related to cybersecurity. When I watch the news and I see someone who double parked to go into the store, and they have their kids in the back, keys running the ignition. I'm just gonna go into the store two seconds to get one thing, and and then you see a story about this one opportunistic bad guy comes into the car, sees right there, see this chance or her chance, and gets away with the car, and then something bad happens. Like, when I see those stories, it drives me insane because, you're putting your life at risk, your family at risk, your your car at risk, and and potentially the the life of someone who's in the car for those situations. So it's all about, making sure you're not putting yourself at risk. So, with that said, we're gonna go into some some QA questions. We have some time here. Alright. So alright. One question here. Do you have any interesting security breach stories? Who wants to take that one? We've had a few. So one of the most memorable ones for me was a situation a couple years ago, where I was reached out to by a VCISO who indicated that they were seeing some weird traffic, a lot of, a lot of, abnormal flows to to and out of a certain access point. When they investigated through Meraki, they they actually found, like, a hot spot. They they realized where that that activity was coming from. They started shutting down, systems to determine what was the, what was the culprit. And so, essentially, what they found is that when they shut down the ATM machine, that activity was full of stop. That that that that anomalous flow that had been occurring, was cutting out. So while we investigated that, we found that the, ATM machine, had was rebroadcasting the private network. It was, it was, part of a Helium miner. My understanding is the Helium miner will, the more people that connect to that access point that's made public, the the more Helium you can generate. So through investigating that, we found that there was, we had identified the, anonymous user that was that was associated with that. But when we also found, those Helium points that he had access to, they were conveniently next to a, ATM machine across the the the East Coast. It's a good one. Thanks. Anyone else have any interesting stories on the panel? I'll add a a recent one that will always stand out to me is, one where, you know, they they often try to get credentials and and, you know, usually it's just from, you know, like, a directory database in Windows and that's all we need. But they were also getting browser credentials. So I thought of all these end users of this organization, maybe they were logging in to their Bank of America to cap text, you know, cable or something and it was their personal account. So, you know, it really bothered me. I wanted to make sure that everyone knew whose browser schedules were probably compromised, but also the amount of data that we're able to get. Tons of data, literally every single file that was compressed and exfiltrated as part of a ransomware event. So there's just that that there's just so much to come through and it was just a lot. But I'll I'll never forget that one. Thank you for that, Jennifer. So here's another question we received. Under what circumstances, if any, does law enforcement get involved in the event of a breach? Chris, do you wanna take that one? Yeah. So, obviously, Thrive can give you legal advice on on what, what to do in specific incident. However, there is a, there is a complaint through the I c three, which is through the FBI, which, talks about these breaches. Our recommendation on that is that you should confer with your counsel before making decision on whether you are required to do that or if you need to. It's not often it it sometimes organizations don't report the I c three, but if there is some reason that you are right right you are required to, then then you would, you'd have to confer with counsel to determine if that's an action you need to take. Sometimes clients don't go down that option because they are already in their investigation or they're not required to. It's it's a it's a it's an area that you just have to go with your, your breach counsel to determine if that's something you should take you should take action on. Again, some sectors require it, but you you really need to get that counsel that that determination from your counsel. Alright. Here's another question we have. What can the SOC team tell us about IRs and so responses they have worked and how the best way to prevent that is a response? That's a hard one because, obviously, we want to make sure that you have the most optimal coverage. And for me, it's not just about the monitoring control. Because let's say, in my world, I oversee the monitoring controls and security operations. But for me, just as important is the preventative controls. And, for example, if you're if you're protecting your home, I'm gonna go back to the example. I'm gonna I'm gonna run it run it dry. So is it enough to just monitor if someone opens up the back door, or do you make sure that it's locked? Right? You wanna have both, and you may wanna have more more than one lock. So it depends on how much how much you want to protect what you have and how much visibility, how much preventative controls. If you have Azure, do you have conditional access enabled? Do you have registered devices? Do you have multifactor authentication? But I'm gonna I'm gonna take a question and and maybe Jennifer or Olivia can take this one. I'm gonna take that take your question to understand, was there an example of an instant response that we handled where it could have been prevented and what could have the customer done to ensure that that same exact security incident didn't occur. So so I'll leave it to the panel. Any of you guys have an example? I I can one of the things I would I I give you an example, but I would say that, to to prevent an IR, you you don't know what you don't know. And the best way to actually get a to determine if you actually the best way to prevent an IR is to is to have adversarial activity, conduct your pen test, doing vulnerability scans to look for attack surface changes. But I would suggest, starting with a pen test and starting to secure some of those, those low hanging fruits before you, to help you, you're you're never essentially gonna prevent an IR. There's always gonna be a potential compromise. There's always a new exploit. We see that with the new direct set and exploits that are out there. That really surprised a lot of people. But you do closing closing the, the gaps through a pen test can help you basically reduce the impact to the to that to that incident. Right. What is the role of cyber insurance when it comes to security incidents? Jen, if you wanna take that, I I can take it. From with my understanding, you said, you know, they they act they advise their clients with regards to how to approach, you know, something like a ransomware event. You know, we we do work with them, from time to time on different cases. If you wanna add anything to that, Chris. Yeah. So a lot of times, the the the cyber insurance is really gonna be there to protect your organization as a whole. So, they're there to help, say say you have a data exfiltration, which app commonly occurs in a ransomware attack. They're going to provide you, the assistance you need to protect those users or or sorry. People that have, had data compromised or breached. They're going to provide insurance for for, monitored for them, But they're also there to kinda figure out what happened, figure out what the regulatory impact is, and what you guys need to report as well as, the, helping you, secure for the future. They're also gonna make recommendations of things you should have and and and move forward with, that they're there just to basically protect your organization. And that's fine. Go ahead. Go ahead. Those frameworks that are in place of what you should have, a lot of people think of that in terms of after an incidence occurred, what's covered. But it can be great to use that as a jumping off point as well of that. This is what is to be expected, what will be covered if an incident occurs. Here's the things you should have in place, and you can be proactive with putting those, measures in place before the incident occurs so that you know if you need it, the insurance will cover everything you need. You're spot on. Alright. So I'll go with another question here from from the audience. What is the name of the Thrive forensics client that needs to be preinstalled on machines? So we partnered with an organization called Binalyze. That is a solution that we use for that purpose. And for us, that's, it it's been a a game changer ever since we've partnered with VinylYze and implemented into our IR processes. So that is a tool that we use. And I will mention that it doesn't necessarily have to be a preinstalled. We can get insights using VinylLyze after after you've had an incident. So you didn't have retainer services with us. We potentially could help you through, security incident and reviewing that, that data. We can collect artifacts after the fact and and still give you some insights to what happened the same way that any other forensics firm could potentially do. Alright. I have another question here. Is there a case where Thrive, instead of response, will reach out to a client to trigger an investigation based on IOCs, indicators of compromise, detected by EDR? Yeah. I was gonna say absolutely all the time. The really big ones, they're gonna be very noisy in our EDR platforms. We we generally have an alert or per, a case for an alert. So there's gonna be multiple alerts, maybe like send somewhere because they're doing all kinds of stuff, moving laterally from machine to machine, trying to compromise credentials. And, also, we're gonna see evidence of file compression software as well as maybe some, software used for the extension. So I personally was on a case like this not too long ago where I saw all those things happening in one, and I immediately escalated the time I was a soft analyst, and I escalated the case. Alright. So we're gonna wrap it up. We're just about to end. So thank you very much. I did make a promise in the beginning that by the end of the webinar, you have a clear understanding of how security operations teams work together. So I'm confident you have gained that knowledge now. So, at least more. Thank you very much for joining today. Thank you, everyone. Thank you.