In this week’s episode of the Practical 365 podcast, Rich Dean and I were joined by Microsoft’s Andy Jaw, a senior Microsoft security specialist with a fascinating background spanning the military, law enforcement, and now as a cyber security expert. Our conversation followed on from our discussion with Alex Weinert in Episode 18 and centered around the critical topic of identity threat detection and response (ITDR) and how organizations can level up their incident response capabilities.
The Importance of Having a Plan (and Practicing It)
One of the key themes that emerged from our discussion was the importance of having a well-defined ITDR plan in place. As Andy pointed out, most organizations are sorely lacking in this area. It’s not enough to simply have a document that collects dust on a shelf – incident response plans need to be regularly practiced and updated to be effective.
Andy drew parallels to other types of emergency preparedness, such as fire drills and natural disaster plans. While these are mandated and ingrained in our organizational cultures, the same level of rigor is often missing when it comes to cyber incidents. Without clear compliance requirements, IT and security teams can struggle to get the necessary time and resources to properly plan and drill their response procedures.
Addressing the Human Element
Another topic we dug into was the ongoing challenge of human error in cybersecurity. The latest Verizon Data Breach Investigations Report (DBIR) report found that over 80% of breaches involve a human element, rather than a pure technology failure. Despite years of investment in security awareness training, users continue to fall for phishing lures at an alarming rate.
As Andy pointed out, we’ve likely reached the limits of what training alone can accomplish. He believes the solution lies in implementing stronger technical controls and automation to mitigate human risk. By removing the ability for users to make critical mistakes, we can dramatically improve our security posture.
The Criticality of Active Directory Recovery
Our discussion also touched on the challenges of recovering from an Active Directory outage in a hybrid identity environment. While most organizations have some form of AD backup solution in place, Andy noted that few have actually tested the recovery process.
In the heat of an incident, IT admins can quickly become overwhelmed if they haven’t practiced the steps needed to fully restore a domain controller. Andy recommends not only having a backup solution, but also regularly testing the recovery process to build muscle memory and uncover any gaps in the procedure.
Interestingly, when it comes to cloud identity systems like Azure AD, Andy does not believe customers need a separate backup solution. He argues that infrastructure resiliency is the cloud provider’s responsibility. However, he does see value in third-party tools that can help quickly roll back inadvertent configuration changes or deletions in the cloud directory.
Establishing an Emergency Operations Center
Finally, we explored the concept of an Emergency Operations Center (EOC) and how it differs from a Security Operations Center (SOC). While a SOC is typically focused on the technical aspects of incident detection and response, an EOC serves a broader coordination function across multiple departments.
Andy shared some best practices for standing up an EOC, including:
- Clearly defining the criteria for activating the EOC
- Identifying key representatives from each major business function (e.g. IT, security, legal, HR, communications)
- Establishing a secure physical command center location
- Planning out primary and backup communication channels
- Delineating roles and responsibilities between EOC leadership, incident commanders in the field, and executive decision-makers
Hearing Andy break down these concepts, it struck me that many of us in IT and security could learn a lot from the military’s approach to command and control in crisis situations, and it isn’t about investing in the latest and most advanced security products. As Andy said on the show, many of the fundamentals come down to good planning, cross-functional coordination, and regular practice.
We offer a big thanks to Andy Jaw for sharing his deep expertise and thought-provoking insights. Be sure to subscribe to his Blue Security Podcast for more great content on cybersecurity strategy and operations; and of course we’ll be back in two week’s time, when we’ll be joined on the show by Copilot expert at Microsoft (and Practical 365 author), Karin Skapski.