Incident Response And Compromise Recovery - Part 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Applause] [Music] hey guys and welcome to the show I have Jim Muller with me today hey Jim hey how you doing looks good man so uh what's your role so as a 20 year veteran of Microsoft I've had quite a few roles about 18 of those years I've been involved in some way shape or form of security so kind of now is kind of my time it's like you know security wasn't something we really thought about 20 years ago and now I'm after 20 years it only took me 20 years to become one of the cool kids on the block so today I work for the cyber security solutions group that group within Microsoft where we're consolidating a lot of our cyber security excellence both in product and in incident response responding to our customers so specifically within that group which is led by Anne Johnson our CVP I'm on the detection and response team which is our externally facing Incident Response capability that we offer to our customers via our the premiere contractual vehicle wow that's awesome so I understand you've got some slides you want to share with us today yeah what we're going to be talking about so as a lead investigator I lead engagements with all kinds of customers out there medical manufacturing banks government and so what we're going to talk about is you know first of all what is our differentiator as Microsoft and the way we approach Incident Response and how is it faster and more effective than some of our competitors not that our competitors do anything wrong with instant response we just take a different approach to it feeding the goals of mitigation and recovery so we're gonna talk a little bit about how that works and how that plays into a greater ecosystem of how to respond to an incident and then we're going to talk about some things that are gonna be I think quite interesting and shocking in that what exactly are our customers doing and not doing that is leading them to be exposed to these newer cyber attacks which we're going to find are not that new some of the motivations are different some of the techniques for initial entry are different but I think what you're gonna find is some of the root causes of things that we have been preaching to our customers for many years are still at the end of the day those that are allowing these customers be compromised Wow that sounds awesome alright well let's get started fantastic so when we talk about having a cyber security situation or incident really we are talking about two separate phases that you're going to need to go through at that point phase one is the incident response or investigation that's what we traditionally think about when we do a cyber security and say response but that's not it there's a second phase of that where we have to actually deal with the results of that investigation so the IRR the instant response the first phase is just that its investigation what happened how did it happen are the remaining persistence mechanisms that the attacker either is or can use to come back in action in the environment that data collected from the investigation is is gathering that data to hand it over to some sort of recovery process now the Microsoft process is is our outputs are very well suited to the Microsoft consulting services compromise recovery offering however the data that we produce really can be used in any recovery process whether you want to attempt to do the recovery yourself or you have some other third party that's going to help you with that recovery process now the one question that we always get is well you know what if we have an active attacker running around during the course the investigation are you just gonna let that go well of course we're not gonna let that go now there are there is a school of instant response thought that when you're doing the investigation you don't want to taint the results or you don't want to tip the attacker off to what you're doing that really is an outdated line of thinking and today's threat landscape quite honestly the attackers don't care if you're on to them or not or no or not it's really not going to change their behavior in any significant way and how can you really allow data to be flowing out the door or allow a brand somewhere of destructive malware attack to perpetrate across your environment we just can't allow that to happen so in the course of an instant response if we find an active attacker during the course the investigation we of course are going to apply mitigate steps to contain and stop that attacker and stop whatever they are trying to do now we have to caution however that in no way is a recovery process that is a tactical emergency mitigation step you still need to follow up the incident response with some sort of organized recovery process to operationalize whatever we happen to do in the incident response if we went beyond investigation and go further too hard in the environment and recover positive control the environment from whatever the attacker did so there's a real difference between what we hear is going on in the cyber threat landscape and what is actually going on in the cyber threat landscape so we see great headlines both in the popular press and in the the security trade press we have the ransomware we have the phishing we have billions of records exposed so we're seeing the consequences of the cyber attack but we're never really talking in detail about what was the root cause that allowed that attack to happen and so we believe based on the outcomes that we see from these cyber attacks that that all of these techniques and the attackers are innovating and doing very sophisticated things and they're really progressing the art which is really not the case we're gonna talk about in a couple minutes what's really going on the same mechanisms basic mechanisms of attack have not fundamentally changed in the last ten years however motivations and what the end goal of the attackers are and how we monetize things as an attacker that really is what's actually changed in their goals and we'll talk about how that manifests itself as an attack progresses but really what what's what in your architecture is allowing this to happen well her own CIO so bright Arsenal he bases Microsoft security posture on basically three things if you boil it right down he calls it the three legged stool and if you take away any of these legs of course the stool is gonna fall over and the reason we take this kind of security strategy is for all practical purposes Microsoft as well as most large and even medium prizes are our perimeter lists we can't depend on traditional perimeter network physical security to protect our environment because we've promised a perimeter 'less world to our users we've promised that you're gonna be able to get your data anytime you want it wherever you are on whatever device you happen to have so that destroys the perimeter of our network that traditionally has allowed us some semblance of control and protection we still have to have that you still have to have that the attackers expect you're gonna have a basic competence in perimeter network security we've been doing that for 30 years but there really that's not what they're concentrating and that's not what they're attacking on 95% of what we see in incident responses really boil down to a couple basic things first and foremost ever since credential theft became a thing about ten years ago where I could actually steal and TLM credentials directly out of memory and replay those credentials without providing the password and replaying them across the environment it's basically been a cornerstone of attacker behavior so if we protected administrative credentials protected identity and that's the first leg of the stool is identity not only protecting administrative identity which is the most critical because if I compromised administrative identity I automatically get everything else but but also comm but also protecting individual identity that limits the attackers ability to initially gain entry into the environment or at least gain entry to what well you have available to you your identity so that's the first cornerstone is identity protection the second thing is protection of data classification of protection of data and we've known that for many years but we take it one step further in that we don't treat all of our data equally and so because of that there are rules surrounding under what circumstances and conditions I access my data you know it's very you know Microsoft Microsoft has a reputation for naming things you know ridiculously over the years but this is one thing that is named very very concisely and specifically in o365 conditional access now that case is talking about under what conditions I can access my email but taken as a concept beyond that the conditions by which I can access data what kind of device are you coming from where are you coming from are there any you know are there any concerns by the way you you are coming you know have I seen a log on here and then another log on there and you couldn't possibly travel that impossible travel so the different conditions by which I can access my data and how stringent I'm gonna hold you to those conditions some data I might not care you know I've got one anomaly in your identity I'm not necessarily gonna stop you from accessing this classified a classification a date over here but more sensitive data over there you need to meet all of the qualifications of identity and before I'll let you get to that so there's much more around management of data that warrants realistically its own podcast into itself but that is one of the cornerstones is is that data and the secret to that is we don't treat everything equally if you treat everything equally we end up diluting our security ability rather than concentrating on the things that actually happen and the third thing is device health I can control device health whether I have a domain domain joint device a Active Directory domain joint device in tune or SCCM manage or even third-party management of my patch status and health of that device and of course mobile device management management of the health of those devices and once again if I don't come in on a Microsoft managed device and my health is assured then I'm not getting access to certain classifications of data or let in at all and so when we translate that to a larger picture most of our instant responses come down from the initial entry in the environment to two things people still not managing administrative identity we published the past hashed white paper version one in version two you know almost nine years ago and if we did those fundamental things in those white papers ten years ago note technology involved there it's process and how we approach application of administrative identity you know we would cut the legs out of a vast majority of the current mechanisms of attacker behavior and then secondly you know even older than that we've been talking about patching even even older patch your stuff and the reason is well hey you know we find a vulnerability either us or a third party product and we patch it what's the big deal why are you still talking about patching because you have to actually apply those passions and not only apply those patches but apply those patches relatively quickly because when a patch comes out you know you are not the only one who's downloading that patch so is the attacker trying to see if that patch is something that can be exploitable and they can weaponize and the speed at which they're able to do that has dramatically dramatically increased over the years it used to taken weeks to figure out how to weaponize a and reverse-engineer a vulnerability or a patch now it can be as little as 24 48 72 hours and they can weaponize it if it's a good one and so every month when patches are released both us and third-party products the attackers are quickly looking at those and seeing is there anything in there that's gonna be worth us reverse engineering like you escalation a privileged patch is anything that I can connect with unauthenticated access spoof certificates there's all classifications or things are looking for and you know there's not something every single month that they're gonna be able to use but if there is the speed at which they can weaponize that is probably way faster than you're actually patching your environment giving them a window of opportunity to attack and take advantage of that so that being said our team deals with those situations our team is designed is we are customer externally facing incident response capability now the really important thing and we're gonna talk about this at the end of how you access our services we are under premier paper we are under premier agreements that is extremely important for you meaning you basically already have the contractual framework in place to engage us and quickly engage us and we can come and help you with incident response we like to say that if you have a premier agreement you basically have instant response capability on retainer and you may even say well wait a minute I don't have you know enough money in my in my premier agreement a premier account to cover this we don't worry about that on the at the onset if you basically agree that you want our services we start the motion quickly and we figure out all of the balancing of the accounts in the end and so we'll talk about how you do that engagement but just keep in mind right up front you already have contractually in place what you need to engage is with no additional lengthy paperwork or contracts so that's really really good and so we are designed to respond to security incidents and help our customers become more cyber resilient and you see all these icons in the bottom when we do incident response we bring a multitude of skill sets into the environment to help in the situation and generally these are on-site engagements we have lead investigators we have threat hunters we have infrastructure consultants which helps you get our infrastructure in place necessary for the investigation plus if there's any immediate you know remediation activity that has to happen we can quickly help you with that as well reverse engineers we have cloud analysis and forensics so we really have comprehensive skill sets that we bring to bear on your particular situation so what makes us different how do we do what we do and so Microsoft does not do traditional forensics and traditional forensics is not a bad thing there's value in traditional forensics but it doesn't really feed the goals that we have to rapidly determine what is causing in your environment to be able to feed those things to the compromised recovery team so they can start formulating a rapid you know onset recovery plan for you but if we also find active attacker in your environment we are not gonna stand by and watch data flying out the door and we're not gonna let your environment get burned to the ground through a ransomware or destructive malware if if we come in and we see them setting up for that it hasn't happened yet but they're setting up for it you know we're not gonna let we're not gonna let that happen and if you're in the midst of a ransomware attack we can help you rapidly return to service through containment and rapidly trying to help you reconstitute your environment the old thinking that if you have an actor in your environment I want to stay quiet we don't want to change anything we don't want to do anything because we'll tip the attacker off and they'll do X well realistically that that never was really the case you know there were a couple rare circumstances where an attacker would actually would actually respond to your actions in a in a even more destructive way but that's not really their goals they don't want to throw away necessarily their investment in that attack by doing something harsh or doing something you know rash and so you say well they're gonna go underground they're gonna be quiet they're gonna stop doing what they're doing our investigative model accounts for that and tries to route them back out so we can find out find out where they are so you know with our approach there is no downside to to acting if the attacker looks like they're going to do something damaging now if we find the attacker has been there for 200 to 300 days and they're basically in maintenance mode well yes there may not be a good reason to really be aggressive with them at that point and leave that to the more comprehensive compromised recovery because if we have to do attacker containment it is not the end of the journey we are doing tactical maneuvers to stop that actor activity and to ensure we have increased detective capability so that we can see the actors activity and more resolution but that is very tactical in nature that is not gonna fix the core elements in your environment that allowed that it's had to happen the first place that's where you go to compromise recovery where they more comprehensively deal with the root cause issues that allowed the attack to occur in your environment so we like to make that very clear that even if we don't always do attack containment during our investigations our primary function is investigation and turn that investigative information over to you which you then share with our compromised recovery team if you wish to engage their services it is not primarily to re-architect your environment or do anything unless it is a emergency situation now what makes us different from traditional forensics I said we don't do traditional forensics so for example if you want a forensic lease ound image that you can share with law enforcement for example we don't do that that's not what we do all of our techniques and tools do not produce those chain of evidence forensically sound elements that like in law enforcement may want in 99% of the time that's okay that never stops us from what what we're doing our super power in this is is twofold our first super powers were the factory team nobody knows this environment nobody knows this better than we do our second super power almost I would say even greater than that is that we are not coming to use as Microsoft necessarily saying hey we're so smart do this do that because we said so because we're so smart now we're bringing the experiences of all of the other customers have been through very similar circumstances to you and we have a volume as such that no matter how big you are no matter how small you are no matter how sophisticated you are or possibly dysfunctional you are you're generally not gonna be that unique because we have probably seen somebody in a very similar if not exact circumstances yours and so we know what was a good use of our time what was a bad use of our time what was effective and worth it what ended up being not effective so we can help bring the lessons learned from other customers experiences to make your experience as good as a get in these kind of circumstances so the way we do this is first and foremost we use data science so instead of a traditional forensic approach where we start with something that we know is bad and then we work out from there following the trail of breadcrumbs which is a slow and arduous process has value once again don't get me wrong that approach has value and in fact if you're already doing that or you have somebody and they're doing that our approach is complementary to that and so it's not one or the other per se so our approach is we can cast a wide net throughout the entirety of the environment and then we use data science to compare your environment against itself looking for anomalies and then we start narrowing down on those anomalies and looking at them in our depth in detail the primary tool that we use to do that is a proprietary run one scanner that we've developed over the years called ASA it it you know very generically stands for you know auto start extensibility point because that's when we started doing this ten years ago or so that's what we actually did is we would actually use you know auto runs from sysinternals we dumped everything that starts when windows starts up and then we'd look at things that we didn't know what it was and we narrow down on those outliers well we still do that that's still in this more comprehensive tool but we do many many other things we look at certificate signing we look at things running out of unusual locations we're looking at scheduled tasks and we're looking at all kinds of things and then we collect this data it's very quick it's uh it's fact is limited to one one uh you know one core one process so it's not going to slow your machine down nobody's gonna know anything happen so we have you deploy this tool across your entire environment and then it brings the data back to a central share in your environment and then uploads it into a data to an azure storage blob where it gets put into our back-end analytics engine where we do analysis on it looking for anomalies looking for how liars in your environment and if we find something we'll have you collect samples of that or if it's a machine we're particularly interested in we have a Windows online forensics extractor it's called Wolf that will look at volatile data on that machine trying to build a time of that things activities that were interested in and then we bring that back into further analysis we can do this relatively rapidly the vast majority of our engagements are five days and we can process about 50,000 5-0 thousand endpoints per five days now sometimes we could do more sometimes depending on your situation we can we can do less and we scope this as you'll see when we actually engage with you exactly what we're looking at but the vast majority of our engagements is that that five days now if it goes longer we do have additional skews that are just a little bit less if you go second week or a third week but those are rare generally if we don't have to do attack or containment generally most of our our engagements are one week which is unheard of if you've ever been through an incident response having a complete analysis within one week is is unheard of well how can we do it so fast because we're using this data science approach and our goals are to get those things necessary for formulation of a comprehensive recovery plan now we had a whole though we had a whole in our process that we discovered a couple years ago in that attackers haven't generally innovated very much over the last ten years except they've been adding to their toolbox for their general approach so we all know about credential theft and we all know about this and that okay great so they generally relied on malware to do those things and they still do for their initial entry into the environment rely on malware but once they're in and they have a foothold they start moving around they abandon that malware and they start using malware less techniques this is where this is really their only only innovation over the last few years so they'll start using PowerShell or WMI or PS exact or other techniques that never really hit disk there they run in memory and so no AV is really gonna catch this so our a cept wasn't catching it either DLL sideloading taking a bad dll and loading it into a legitimate executable having running running malicious processes but the executable itself is absolutely fine you know so AV doesn't do well with that and a set doesn't do well with that so what is our our line of defense there well we decided that we were gonna develop technologies to look in memory and watch the process stack and look for these things well we thought about this for a while but then we realized we're not as smart as we think we were because Microsoft already has a product that does this in Microsoft Defender advanced threat protection so we decided that in customers that do not have you know Microsoft Defender advanced threat protection that we would tactically deploy defender ATP under trial license for the purposes of investigation so we do that now and we are very very good at it rapidly in fact if it's Windows 10 it's over 2016 above it's no big deal it's basically we set the ten it up we send out a GPO to have the operating system point to ten and is done because the machinery to feed telemetry into defender ATP is built directly into the operating system if you still have some Windows Server 2012 and so on and so forth around you can and also install the Mme agent that will also report to lemon tree up into defender defender ATP although not quite as comprehensively this allows us this is what allows us to watch the endpoint at the process execution stack looking for things like hey I see Outlook cranked up a command prompt which ran a base64 encoded PowerShell that's not right none of that hit disk none of that hit disk it was our threat intelligence and machine learning that saw that and do it wasn't right and it's gonna raise it as a high acuity alert and depending on your configuration could also stop it so we use that as a a core piece of our investigative capability because we also have access to the advanced hunting platform where we have additional queries where we hunt in your environment and find and find things through manual techniques from our from our analysts so then you know we're patting ourselves on the back and we're thinking we're pretty smart and then we realized wait a minute 90 90 plus percent our identity attacks really looking at things from the endpoints not catching that those identity things and so then we also decided if you don't have as your advanced threat protection which is an example of Microsoft naming things horribly because it really yes it lives in Azure but what it's really doing is its watching your on-prem domain controllers and Azure Active Directory for anomalous logon specifically anomalous administrative logins and so other things like pass the ticket with Kerberos attacks golden Tiki Kerberos attacks all kinds of other things related to identity and administrative access to the environment so we decided to tactically deploy as your advanced threat protection also so realistically we're squeezing the attacker between this data collected at one time scan data collected at the top through Azure ATP you know in your administrative identity and then the endpoint telemetry coming from defender ATP on the bottom we're squeezing the attacker in the middle and so once again this sounds like a lot but we are very good at getting this done very very very quickly in fact if you call us for an instant response while our people are in the air coming to you we're working with you remotely over the phone to get these tools deployed and get things set up so that we have data flowing once we arrive and make best use of our on-premises time another reason that we're so fast and what we do in identifying the stuff is that modern detection really leans and relies upon threat intelligence and endpoint telemetry and nobody has more of that than Microsoft does so that really is a force multiplier in our capability allowing us to identify high acuity risks relatively rapidly even if it didn't happen in your tenant but happened somewhere else because that data Lake in the backend is offering protection for everybody it quickly quickly covers protection for you as well and then we talked about this a bit if you have an active attacker in your environment we actually will do containment what does that actually look like basically resetting or blocking administrative accounts targeting certain ad attributes for hardening implementing MFA if it's in the cloud and certain identities our risk it's it really a case-by-case basis on what we do if it's a ransom where we might be to be doing less investigate more recovery of your environment so that you can start to that restoration process so that really is bespoke and custom through the particular situation that you're in so just to be clear once again our our piece of this pie is the detection response so protection and recovery really are in the purview if you want Microsoft assistance for those things proactive protections and recovery following the cyber incident after the investigation is the purview of Microsoft consulting services in the in the offerings that keeps going to talk about so the trends actors are well resourced and they're determined and they're they're professionals these aren't amateurs we have timelines they have goals they have return on investment goals and so when they look at you they're looking at you from a cost-benefit analysis and so that makes it once you have one of these of attackers it's really one of our goals is to figure out what are their motivations so we can make it less attractive for them to stay or continuing to deal with you from the defender standpoint you know most IT environments have still not implemented the stringent protections around administrative identity and protecting those administrative identities and also we talked about Microsoft Defender advanced threat protection as an investigative tool that we use but let's talk more generically is a technology that enterprises need enterprises must have endpoint detection response capability EDR whether it's ours or third-party we have to be watching the endpoints at the process execution level especially because of these mount where less techniques AV is not enough so if you're spending a lot of money still in core physical networking protections we have to look at what the actors are actually doing and start investing in those technologies to combat what actors are actually targeting these days which is identity and malware less techniques so this slide shows the lack of sophistication of the attackers but they're still able to make it work the vast majority of attacks in two environments are still starting with spearfishing because they know and we know and everybody knows no matter how good your defenses are there's going to be some no matter whose technologies you're using there's gonna be some fishing that are still gonna get through and get to end-users and no matter how much education we do goes end-user somebody's gonna click the link so you will always lose desktops okay now with proper techniques with proper architecture and proper detective and protective controls we can minimize that and that's what our goal is a random end-user to an attacker should not be very valuable to them but it is today with a lot of organizations because they're set up where once I get one random user I'm able to laterally traverse and get more random users and then create an attack net that allows me to wait for an administrator to log into one of those affected machines and then privilege escalate that is 95 percent of what we see Spearfish in laterally traverse somebody with a valuable identity logs in and then here you go guess what I've lost my ministry of identity to the system because the fundamental fact is we are always gonna lose sheep to the wolves but when we start losing shepherds we've got a huge huge problem and so those core fundamentals of identity protection and protecting against lateral traversal is really really still fundamentally important so wait a minute but this is not what I'm seeing you're saying it's the same thing for the last ten years but that's not what I'm seeing in the news it is ok the techniques to get in and get control of your environment are fundamentally unchanged yes we have you attack surface with the cloud so if you're not multi-factor your o 365 or cloud facing identities are just making it easier for them to go ahead and take advantage of newer techniques like password sprays against that cloud authentication edge so we need the multi-factor that we need to get rid of legacy authentication on that so but still it's fundamentally an identity attack what fundamentally has changed is that cloud facing identities we also have some malware less techniques the other thing that's relatively disturbing is actually a rolling back of sophistication where attackers are relying less and less on spoke custom malware developed directly for you you know that advanced persistent threat that we always hear about the apt where we're looking for malware that was that was created just for you well you know what that's not the attackers first line of entry anymore they try to use commodity malware that we would have two years ago said oh yeah this is irritating you need to take care of this you need to figure out why your ad is not cleaning this up but it's not fundamental to our investigation of advanced persistent threat okay well those same malware's emote ed dry decks trick thought that we would kind of said hey you need to deal with that a couple years ago well now it's being used by attacker groups so now when we see these commodity malware's we can't immediately discount them we have to think to ourselves okay is this a precursor or is this the first step to a more sophisticated attack because remember malware is disposable now I just use it to get in once I get what I need need then I don't care if you discover it and disable it I'm switch to malware less techniques and I'm running in memory for the most part and I'm not hitting discs anymore so that's really the only innovation is that they're using cheaper stuff for them so they could lower the cost of attack for themselves and then the other thing is they've changed their economic model their traditional which we still do see the traditional advanced persistent right approach is I'm gonna get in I'm gonna stay quiet I'm gonna find stuff that's valuable I'm going to exfiltrate it and then I'm gonna sell it on the secondary market or from a nation-state I'm going to keep it as stolen intellectual property okay that still happens but these ransom wares and destructive malware as you're seeing how do you think those happen exactly the same way spear phishing laterally Traverse privilege escalate but then instead of do your traditional apt approach they decide to throw in industrial-scale ransomware or if it's politically motivated they'll throw in destructive malware to take your environment down so they've simply changed their economic model so the criminal gangs are like hey you know what it's so cheap to do this I'm gonna go ahead and I'm gonna throw ransomware in there and even if only 15% which is the current statistic even if only 15% of victims pay I'm still getting more money faster because it's direct monetization to my Bitcoin wallet I don't have to wait to sell this data on the secondary market and I'm doing this in bulk so I'm gaining money by volume rather than by depth such as an apt so it's just a change of economic model and philosophy of how am I gonna monetize my attacks so that is the fundamental truth there now we are seeing a couple innovations that 5% I know somebody out there is asking well what's the 5% we're seeing things like web shells hitting your external web edge but once you get a web shell on something what do they do they're flip into an identity attack because I use that web shell to capture identity and then go forth from there we're also seeing things like supply chain attacks where they're trying to pivot into your environment through interconnections with suppliers and b2b partners so that's also a big concern that if you're - if you're if your environment is too hardened and it's too expensive to attack you directly I'm gonna go to the weakest link in the chain I'm gonna attack one of your supply chain and I'm gonna try gain entry to the data or whatever my goal is to your environment via that supply chain so those are some of the other innovations that 5% that we see are these innovative things and every once in a while we will see a physical network attack because something you know very very wrong was was exposed in the environment but those are very rare because once again we've all been doing perimeter network security for for 30 years and so that's not a very attractive target - two attackers these days so how do you get a hold of the detection and response team here's the point this is the important part this if you have a problem the first call if you think you have a cyber problem the first call you should have is with your Tam your Tam is the most important part of this process now there are times where you have a security problem you think ah this is not that big of a deal call into CSS support okay you call it a CSS phone support now they are connected you know with ours that process-wise are connected with our organization if they see this is a bigger problem than you believed it was then we get a get a triage session set up and then we take a look at it as well so you know your Tam is not the only entry mechanism if your tamps not available or you don't don't think it rises to the level that you have to talk to your Tam if you call it a support case on a security situation don't worry those folks on the other end of the phone know exactly what to look for that if it's a bigger concern that you might need an incident response and engage that our team they absolutely will be involved with that process and then what happens after that is that between the Tam phone support and our team we start scoping the situation and schedule resources and align all of that sort of thing which happens if we find that it's an incident response level problem that stuff happens very very quickly we have cases where we can get people there you know next day if your even closer than that you know rarely we can get there same day but usually within a day or two we're on site and we're good to go but once again while we're in transit they'll things not happening we are working with you to get things set up in preparations done while we are all in transit and flight to get your to get on to your site and we have we have members all over the world every region of the world so we are well covered to get to most customers relatively quickly all right yeah and you guys you guys do a great job I had an incident with one of my customers about 10 years ago and it was a different team right it was it was pre you I think for you guys but we can't they came out they you know did an entire environment assessment they figured out what was they they figured out how the breach had occurred and they help my customer solved it solve it and it was a painless experience for the customer it was awesome as painless as it can be painless yeah of course the breach was painful but but the resolution was you know like you said as painless as it could be Wow Jim that was awesome thank you for doing that you're welcome portent that we understand where we can actually advise and help our customers not only that we have help available to them but as you saw in the presentation there are three or four takeaways that we could take to our customers say hey listen I know this might not be you know the most glamorous thing on the block but this is actually what's getting customers in trouble we need to reevaluate some of these fundamentals to help you well I certainly appreciate it I really enjoyed the presentation do you know Kate Proctor I am super excited that kate is going to talk about you know we talked about the doom and gloom we talked about you know what's happening and you know the dart team does do some rapid mitigation to stop act of cyber attacks but that is in no way definitive in what customers actually need I am super excited that cait's gonna follow up on ok what do we do about it what's the next step to becoming whole in the security space well she's coming up next say hi Kate hey Kate I'm super excited about what you're gonna have to say

Info

Channel: Taste of Premier

Views: 1,353

Rating: 5 out of 5

Keywords:

Id: -zsuDhVGHn4

Channel Id: undefined

Length: 41min 38sec (2498 seconds)

Published: Tue Jun 09 2020