tag:blogger.com,1999:blog-9518042.post4563377051379384658..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Responding to IncidentsUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-38576095697550071512010-03-26T14:36:42.329-05:002010-03-26T14:36:42.329-05:00Colin,
Thanks for the comment.
Please don't...Colin,<br /><br />Thanks for the comment. <br /><br />Please don't get me wrong...what I listed are just three of the myriad of possible scenarios. The more scenarios that we make available, perhaps the more folks will realize that they need IR capabilities and services.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-84242778261684405682010-03-26T14:26:43.873-05:002010-03-26T14:26:43.873-05:00Thanks for the link to Lenny's presentation. V...Thanks for the link to Lenny's presentation. Very informative and well written for a broad audience.<br /><br />Unfortunately, there is often a 4th scenario. <br /><br />At least from my perspective, most breaches are not detected by the breached entity, but a regulatory body that requires a 3rd party firm conduct an unbiased investigation. Regardless of the breached firm's IR maturity, the breached firm is often most interested in avoiding potential fines handed down by this regulatory body. <br /><br />Instead of working in parallel with the 3rd party IR firm, they intentionally work against them. While this reasoning is usually self-destruction in the end, there is an intentional attempt to a) destroy potential evidence of the breach b) meet compliance standards before the 3rd party firm begins their investigation. <br /><br />When a firm takes the above mindset, they are intentionally avoiding proper IR procedures, such as preserving evidence. For these firms, there needs to to be incentive to actually follow proper IR procedures.Colin Sheppardnoreply@blogger.com