tag:blogger.com,1999:blog-9518042.post2649937698312022866..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: What's the value of data, and who decides?Unknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-28905068213589070872016-06-06T05:56:14.591-05:002016-06-06T05:56:14.591-05:00Daniel,
Thanks for your comments...very illuminat...Daniel,<br /><br />Thanks for your comments...very illuminating.<br /><br /><i>... i feel an analyst should be responsible in understanding the data as best as possible. But this is more of a personal feeling, not everyone will seek further understanding of the data/artifacts...</i><br /><br />I'm afraid you're right. <br /><br /><i>...i don't think that should stop further release of research or information on new data/artifacts.</i><br /><br />I agree that we shouldn't stop releasing new research...not that there's a large group of analysts doing this, really...but I am concerned about the quality of work as new tools (released as part of that research) are being used by analysts, and the (misunderstood and misinterpreted) data is being reported on.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-68883956705466674262016-06-01T21:42:52.267-05:002016-06-01T21:42:52.267-05:00Hi Harlan
In my opinion i feel it is a little bit ...Hi Harlan<br />In my opinion i feel it is a little bit of both, the client\business and analyst's responsibility to put value to the data. i think that when the client or business (if working in an enterprise) provide a set of questions that they feel should be answered it is because they feel it is important to them. Now to us as analyst perhaps we may encounter questions that seem a little far fetch perhaps due to lack of technical understanding and I think as analysts we should help them in providing guidance and scope with their questions. <br /><br />In regards to interpreting the data, i feel an analyst should be responsible in understanding the data as best as possible. But this is more of a personal feeling, not everyone will seek further understanding of the data/artifacts but i don't think that should stop further release of research or information on new data/artifacts. If anything i think that is an indicator of analysts that maybe go after "shiny new things". <br /><br />As far as reporting, for an enterprise besides the questions set by the business i feel an analyst should also set their own questions and goals and report on additional findings if time permits. Consulting is different and i cannot fully offer an opinion given the lack of experience in this realm. But perhaps providing a good statement of work or a conversation with the client stating what should happen if an analyst finds hints of additional suspicious activity besides what they are being asked to investigate would suffice? and additional charges? maybe? hopefully some one else can interject their opinion on this.<br /><br /><br />43nsicbothttps://www.blogger.com/profile/10129306415286340173noreply@blogger.com