ABRACADABRA – Make your breach reporting woes disappear!

okay so and I am still on you can hear me on this side on the reporting side awesomeness okay so for those that don't know me I'm Jake Williams I'm the founder and president founder and president of rendition info I work for sans I think some of you I've met there a couple of you who I've met there and I work with that with ions as well they're the Institute for applied network security I'm on voice security and let's see I used to work at the NSA and and all that stuff but look dislikes I hate the whole idea of people calling themselves thought leaders right if you have to tell me you're a thought leader

you're not I think we can just go ahead and clarify that now blockchain blockchain is my number one like top thing I hate at the moment it has to be blockchain there are definite there are def uses for blockchain but the vast majority of use cases that we're seeing today are not really use cases for watching and so anyway or doesn't need blockchain it's it's a it's a either a solution without a problem or in some cases blockchain the technology can't overcome the policy problem that it's trying to drive so anyway I'll get past that here and and kind of chat about you know a couple of things that we've been dealing with and I'll mention kind of

the onus for this talk actually is Atlanta right it's it's lanta and some of the other stuff that we've been dealing with but I'm looking in the Atlanta ransomware event and I believe the accounting now is up to 17 million dollars for the Atlanta ransomware event now I want to walk through why that's garbage right I mean for lots of reasons right but but I want to talk about and I'm not gonna pick on the city of Atlanta I want to be clear about this the one and only time well probably not the only time but but I don't have dedicated slides to you know rip the city government and talk bad about them I mean we certainly could we could do a

whole presentation on that and how the response was poor and a lot of that but but again you know for me I want to spend a little bit more time instead talking about the overall problem that we're seeing in the field so that it's not just about the city of Atlanta right because I don't want you to walk away here thinking that well if we just fixed that one dumb government in podunk Georgia or whatever wait I would never mind uh so if we just fixed that one government everything's going to be okay it's not we do a ton of incident response at renditions and the things that we're seeing the city of Atlanta try to pull off with inflating their

costs we're seeing other people did we see people inflate and deflate so you know we talked about this problem a little bit and as I was chatting with other folks a couple of principles in rendition about how do we deal with this right what are we you know how would we tackle this kind of problem we all had horror stories or like hey remember that incident we worked were they they tried to claim X or Y walk through a couple of those stories there because those are pretty cool but where they tried to claim a particular cost as part of the part of the breach and and so a part of the incident cost incident response

costs and so we want to kind of walk through some of those and we came up with the basically came down to a more central point it's not just about it's really not just about the the problem of Incident Response cost reporting in the first place it really comes down to data all right and unfortunately we have a couple of problems in InfoSec today all right more general problems I'm going to talk about those first is info CEQA science or a religion yes exactly right yes and I want to introduce after that I'm going to talk about the problem a little bit the problem overall the more specific problem not the data problem we talk about data problems we have two

problems not enough data and bad data right or inaccurate data or not normalized data etc so I want to talk about some case studies and ridiculous breach costs talk about the framework overall kind of some of the commandments of the framework if you will I'll talk about using the framework to report the breach cost and then I'll close with a quick call to action ways that you can help solve some of our data problems in InfoSec in ways that you can use this work at least for Incident Response so I want to talk about the science or religion question which one are we anyway right now when I talk to people consistently particularly become to the

good old Augusta University who we appreciate for the what now is this our fifth six here I can't remember six six five five for the fifth year in a row Augusta University is hosted us and and you know besides Augusta and I cannot thank them enough for this this is a phenomenal space it's it's great that they're you know they're trying to be part of the community here if you go to them and you ask them about InfoSec they'll throw a science 100% science every one of the courses that they teach in their cybersecurity curriculum is a science course right and then I have to step back and I have to ask where'd you get your data right that you're teaching

these science courses because I look at you know chemistry and mathematics I guess math is we call math or science now I'll go with that right chemistry biology physics etc all that's based on data all right and the InfoSec stuff that we're dealing with is unfortunately in many cases not based on data despite what some of your professors and some of your mentors right are gonna tell you and so I like to first step back and ask what is a religion in the first place and I like some of these some of these notes here you know religion it's a it's a personal set or institutionalized system of attitudes beliefs and practices well I like this this sounds a

lot like InfoSec to me if I think about the sands well it's not sands now it's been handed over the Center for Internet Security C is I think about the C is xx critical security controls how many of those are evidence-based the number is significantly less than 20 it may not be zero there are some folks that can argue that the number is non zero but it is not 20 and yet they are the 20 critical security controls and and we kind of stand by these and in our in our practice at rendition we recommend people use them but then I have to ask is that based on data or is that based on religion and I love this here right

the institutionalized system of beliefs and practices and and I like here when mirror and Webster asked us to go use religion in a sentence and these are I didn't even have to make these up I didn't have to dig deep right it was hockey as a religion in Canada and politics are religion to to somebody or any no it's again this the system of beliefs that we hold to be now that we hold to be true and again when we talk about religion in the more generic sense right where a lot of us are gonna go to church tomorrow on Sunday right we talk about there it's not based on fact now I know lots of people say well it's a fact

for me but but let's be fair it's faith is what we're talking about right it's it's faith as a belief in something without the actual scientific evidence to back it all right and again I will argue that InfoSec and in particular we talked about Incident Response we're seeing a whole lot of that now on the red team's side the red team it's that that's that's not that's not faith right I mean they have faith they're gonna get root right but but separately right they they have a system of techniques that they're gonna use we all know about the cyber kill chain right and this deterministic phases that one walks through to go through cyber cool but they're experts of this

and they know how to do that and that for them is largely science right there's not a you can really an in red teamers I apologize man before if I offend anybody in here if there are any of you in here it's a flowchart job and it's an easy job compared to defense and that's just the reality of it all right compared to defense and investigations it is a it is inherently easier job and so you know as I step back here I look and I say we'll look a lot of the defense stuff that we recommend we know it works anecdotally but that doesn't necessarily mean that it works universally and in many cases of course

it doesn't and so I use this as an example I like to ask people will multi-factor authentication stop breaches and is it cost-effective can I go to management and cost justify the deployment of multi-factor authentication now before you answer this question before you answer the question I want you to know that my company is a duo partner we believe so heavily a multi-factor authentication we've partnered with a company that does nothing but multi-factor authentication I guess duo does a couple of other things but like that's their that's their core business line and that's why we've partnered with them and I have to tell you when I start looking the arguments here and I have to go to

management and make this justification I have to tell them a lot of your peers have multi-factor authentication MFA your peers are using this you should be too it just takes an extra second or two to use the MFA token there are no productivity losses are there no productivity losses of course there are right I know I know all right but again the arguments that people consistently use are there are no productivity losses when you use MFA and multiple vendor reports and Incident Response reports that we can read in the public domain they cite MFA is an effective control in preventing these particular breaches why wouldn't you have that I mean with evidence like this not using MFA it's

like driving around a car where you've disabled the airbags intentionally and none of us are gonna do that right I mean that seems like a bad plan all right well I want to come back and give you an example for my five-year-old Jake right when my peers were telling me the Easter Bunny was real and I want to throw out some of the evidence for this to my friends told me the eggs would a pure Easter morning and they did and while there was some effort to find the eggs I have to tell you the total cost of ownership was very very low because five-year-old me didn't make a lot of money so my time wasn't

valuable every time I found an egg with some chocolate or a quarter or if I'm the golden egg and at least around our family the golden egg was a dollar but I've heard other people say it was like twenty dollars or whatever again doesn't matter what it was I was making so little I'm that the my return on investment was huge all right my total cost of ownership for Easter Bunny belief was very very low all right all I had to do is continue pretending that I believed in eggs magically appeared and a hundred percent of my peer group not some small percentage 100 percent of my peer group all had Easter Bunny experiences I grew up in backwards

Virginia believe me all right nobody out there like I'm an atheist we're not participating in this and we reject all society as backwards Virginia that got you lynched right it wasn't something that that happened exactly and so you know I kind of mentioned here everybody had that experience a hundred percent of my peers did I had better evidence for the Easter Bunny than you have for MFA and I was wrong all right and so I just want to bring up here that some of the things that we note that we believe right to be to be this obvious you know an obvious security solution I can't tell you how often people come to me and they're like well if we just did

this that would have prevented the breach well let me stop you right there because if your solution involves the word just you've already oversimplified it right and and I have to a slight Jack Daniel on the panel that we were just in on SB 315 and he said something that was I mean I've been quoting the just thing my team will tell you this a lot all right if your answer involves just it's already wrong but if a jack set a phenomenal quote or made a phenomenal quote in that panel over the last hour and a half here or two hours whatever he's if he said cybersecurity is a complex problem I'm paraphrasing him here because I don't have the exact

quote but we'll get it off the video but decent cybersecurity is a complex problem if you're trying to implement a simple solution to it you're probably doing it wrong and I love that all right that gets to the heart of so many of our solutions right that we come up with so again I want to throw out here I had better evidence for the Easter Bunny that we have for a lot of the things we prescribe as a surefire solutions that everybody should be doing we like to call these best practices by the way all right but he can we know have a lot of data to back these up all right I want to note that anecdotes are not

studies right again we lack a lot of data about mfa all right as we talk about anecdotes they should never be confused with a study or randomized control trial if you work in medicine some of you may know as a paramedic before I got an InfoSec and kind of interesting there right that whole incident response background one type of incident moved into a different kind of incident right but you know as you look in medicine we have randomized control trials and these aren't necessarily good for every type of data right we don't want to intentionally for instance we don't do randomized control trials with real people on the roads with airbags right because that's just negligent

right you wouldn't be like we're disabled your airbag and when you get in a wreck we'll do some studies on how you survived right that would be horrible and in cybersecurity obviously there's some things we can't do our CTS with but but to the extent that we should or sorry the extent that we can we absolutely should here's what I don't have even though I'm a duo partner and believe me you know I've asked right duo doesn't have data on this what's the study do we have studies showing the cost of multi-factor authentication related to productivity losses and I'm not just talking about the productivity losses where people arrive well it's just one extra click or two extra clicks

or whatever right again this is a big deal all right so I'm looking at the what is the cost to do the enrollment what's the cost when you lose your token we're updating our smartphones every 18 months to two years right here every one of those that involves you reinstalling the token that probably involves helpdesk support for average user I'm guessing the people in the room here may depending on technical controls be able to do it themselves right obviously in the the best highest security environment you're going to helpdesk access or helpdesk involvement anyway I mean I don't know about comparative compromised rates with them without MFA we regularly destroy companies that use multi-factor authentication when we do a

red team assessments so I know it doesn't stop breaches I know it stops some incidents right some specific incidents but it certainly doesn't stop breaches I don't have evidence that MFA actually reduces any compromise any compromises at all all right what's our overall rate right have an attacker gets topped with MFA how many of them stop and don't continue targeting don't continue targeting the the environment right and I think that number is probably but I don't have that data I'm positive that we can get that data by working together now I know we're gonna clock with instant response costing but but again I want to start the bigger problem of alright my Incident Response costing

is a very very or it's a response accounting is a very specific example of a problem that can be solved with data and InfoSec alright and again I wanted to come back to the broader problem that we suck at data we're religion I mean I'll tell you my conclusion right after looking at a lot of our problems is InfoSec is a religion right now I'm not saying that that makes any of what we have wrong doesn't make our best practices any was best right or doesn't mean we shouldn't use them but we should be very clear when we communicate with management about what is it that we're actually dealing with here is data or is this anecdotes and so

again I'll mention here you know help participate or help generate data by participating in studies and surveys alright this can be literally as easy as going on Twitter I run probably half a dozen Twitter polls a week and you know Sanz runs surveys the Verizon dbi are you can partner with them to submit data semi anonymously here's the big one free we don't know when you don't have data freaking admit it I'm is so sick I'm so sick of people coming on the going like well we know that do you really know it or do you think it you have a strong belief in it right because those are two very different things and and look we

lose credibility in the field we hurt the field overall the profession overall and we pretend to have data that we don't and : Powell said it best I mean I have to steal this from Colin Powell he said tell me what you know then tell me what you don't know this is what we suck at an InfoSec by the way he says only then are you allowed to tell me what you think imagine if we started off somewhere our best practices discussions this way where we said hey I don't know anything we know very little all right here's a couple of anecdotes but let me tell you we don't know we don't have any good data on control studies and any of

that and but we think these following actions are gonna help you out now look I think that puts us in a much worse position to try to suggest remediation steps and and all that stuff with management that's why most of us don't do it but but let's be very clear we are being dishonest right the majority of as we look at let's say manufacturing safety for instance they have numbers have data around that and so we go in and we present our findings side by side and say this will help right management without knowing that we're lying to them assumes lying being dishonest whatever you want to say there without them knowing that right they then assume that

we're using basically the same reporting standards right we're actually reporting data when you look at somebody who's trying to implement who's safety control manufacturing if they don't have data behind it they tell you like we think this is going to be effective here's why we think it's gonna be effective they don't data though they tell them we don't all right and so again this kind of forms one of the bigger problems that we had we deal with so as you get an abracadabra I'm gonna talk about does this even solve a problem with breach reporting what is it alright well look breaches are occur in a ridiculous pace I don't have to tell anybody in the room that we

know every week my data gets compromised something by somebody else I'm not talking about every week there's a new breach in the news it feels like every week I'm getting another email or it's like sorry we lost your data organizational leadership struggles to budget for incidents we work a lot of Incident Response it's our biggest service line by dollar amount biggest service line a tradition in for a second and so we work a lot of this and I can tell you almost universally no budgeted for an incident you should write it shouldn't take an incident for you shouldn't take an incident for you to have to figure out hey how are we gonna fund doing an incident response right

everybody in the room here I think agrees that it's now no longer a matter of if it's just a matter of when and how bad all right just a matter of when and how bad now look if you roll back five or ten years there are a lot of people like well we're not gonna get breached and it's like timeout brother today that's not at all the case all right so the problem that we run into then is how much do you budget few organizations publicly report the true costs there are incident response activities and there's no standards for identifying which cost should and maybe more importantly should not be included in incident reporting and its lack of standardized incident

cost reporting it hurts businesses it hurts insurers and it hurts our consumers our legislators we were just over in the SB 315 room talking on the panel there and we actually had one of the Georgia state legislators that you know that actually helped vote on the law and she actually was very very instrumental in in helping convince the governor to go ahead and veto that horribly written piece of legislation if you don't know what SB 315 is take that is homework please go learn about it because it's a train wreck and it's gonna come back alright it's like Night of the Living Dead they didn't they didn't get it through the first time they will get something through right

without a standard for this though it's very very difficult to perform any apples-to-apples comparisons and our goal here is to put out a framework with some information that you can use to go and alleviate this problem we want enable organizations to make sound Incident budgeting decisions this is very very important for us and so we talked about abracadabra I know that's a long acronym there are acceptable best practices for reporting accounting costs accrued dispensing of the adversary in breach reporting activities trains so again I know that's a mouthful we're just going to shorten it up to Abra because yeah I when I put this together I was trying to come up with you know basically something that looked cool as

an acronym but then I had to type it a couple of times and Wow are there a lot of A's and B's in there so yeah look in retrospect no all right so we're just gonna go with Abra for short and that's what we're gonna name it going forward here but the original name was that and that's what it stands for and of course it's tongue-in-cheek again our goal really is to get that get that information out there or get at least some level of any accounting method out there that folks can use to actually because today you can't go back and say hey did you standard accounting principles for this because there are none right and that's kind of our goal

with putting this put this out here and I've had reporters talk to me and ask me hey why would an organization fudge the numbers in the first place wouldn't they always want them to be poor and the answer is not always right because in any cases people look and they say well I've got five million dollars of cyber insurance and they try to make a breach five million dollars right they try to add stuff in there like yeah that'll they'll pay out on that they're not going to they never pay out right I mean I'm not saying cyber insurance never pays out at all it's never pays out in general and certainly when you're trying

to put stuff in that's explicitly a explicitly stop by by them for instance you're trying to upgrade equipment and whatnot we'll talk about some of that there sometimes we have folks with investors and they don't want the breach to look large or pom premised seok large and they try to intentionally reduce the numbers dramatically we see this a lot with publicly traded organizations or in some cases we've actually seen where a publicly traded organization has two separate incidents right and they know that the basically the first one's been discovered and it's the larger of the two and they try to report it right at that quarterly filing time right so that hopefully that blows over and

nobody even notices the small one it still shift costs from one to the other right trying to show well yeah we had a second incident but this was totally minor as opposed that other one that five million dollar thing that you should forget about in the past this one was only like a hundred thousand so no big deal there don't worry investors share price should not lower and we may want to make the incident appear as top cover for a new platform we work with a CSO we've worked with a CSO at three different organizations now and he does this every time this man is walking around with his little portfolio you know a little

padfolio things that people carry around and i've been in two different board meetings with and when the board has approved when they're like hey you know what we need to throw some money at this how much you think it's gonna cost he's like ah you know I'd I'd really like and he always shoots high cuz he's he's smart about this very very business savvy he says you know I'd like a half million dollars and then I well I don't know if we're gonna do a half million dollars and he's he's already sliding out like the quarter million dollar plan that he's got ready to go like Inc it now I'm gonna go spend the money like

he's got the plan right now and I saw him he's pulling up the quarter million there I know for you do a half mil probably do four hundred thousand he's sliding that back in he's pulling out and he's got plans that like every dot or bracket level with him that he's walking into the boardroom with and this is funny in one case but it makes her horrible cost accounting and I love the guy to death because he's given us a ton of business and he's serious about security and most of the people in this room probably been impacted by in a positive way by the way been impacted by his security focus I won't get into

where this dude works but but I'll tell you that he most of us have have crossed paths with that without at least one of the organizations in the past now he likes to use incidences top cover for new plans and programs and when they grow with the total cost right that's part of the cost that they report is that four hundred thousand half-a-million whatever that went into that basically that winded that new plan or program whether it was a stealth watch or M FAA or whatever it is that they're going to deploy sometimes people want to increase headcount there oh man we knew we were understaffed we had one IT person and half a headcount

applied to information security so obviously that wasn't appropriate as a fortune 500 company so this incident showed us the light hence we need to go ahead and budget for headcount what no that's that doesn't make that an incident cost I have tons of real-world analogies I won't get into here why that's inappropriate but I always certainly use those two into a2 management there sometimes I want to replace obsolete Hardware using the incident response budget this is actively happening in Atlanta all right that's 17 million dollar total that you're hearing is them replacing a lot of that and if you get down to brass tacks one they're trying to max out their cyber insurance policy so they're

doing two of these three of these actually they're trying to max out the cyber insurance payment right because they've got a 20 million dollar policy you've seen the numbers climb up you're not gonna see a climb of about 20 million I'm confident if this is not gonna work your insurers are not idiots all right I mean let's start right there your insurers can insure you for twenty million dollars because they're not idiots right they understand underwriting all right so replacing obsolete hard work right so the city of Atlanta is going in and saying well we wanted to ploy this EDR agent his endpoint detection and response agent but these machines are old and they're having trouble supporting these no

problem I have a solution for that let's buy new hardware so it can support the EDR agent that we only need right because of this incident and so then they come back around and say okay cool we're gonna replace this obsolete hardware this one's my favorite this is where they finally decide to hire a CSO and they put that cost into the incident response and I'm mind blown now from a legal side your lawyers will often step back and be like yeah that that works now lawyers are very familiar with the term called proximate cause not a proximate proximate drop the a off the front proximate cause basically means if but for this event all right this thing

wouldn't have happened a great example this is let's say that let's say I push somebody out under traffic or actually that's a bad example because that paint that paints me is the bad guy let's say that we're and let's say that we're working at the office and I accidentally spilled a drink and unfortunately unfortunately I spill it on I spilled on Bryce over there and Bryce lenses I got to go change my clothes cuz I'm not gonna sit in wet pants all day alright and Bryce walks out of the parking lot gets struck by a vehicle in the parking lot right now obviously unless I'm like Rain Man or you know some kind of other you know look in it

I'm trying to think of like who else you movie wise can do this right but but I can't figure out butterfly a factor I kind of thing I can't spill a drink on Bryce and be like I'm gonna murder Bryce by spilling a drink on his pants right I can't do that right but a lawyer is gonna argue that the proximate cause of Bryce being in the parking lot in the first place or may argue right is me spilling the drink on Bryce and I not been negligent right had I had a spill proof lid none of this would have happened embrace wouldn't have been wooden bet hospitalized and injured right or maybe killed or

whatever who knows but the seaso thing your lawyers before you think man why isn't somebody stopping us because your lawyers are familiar with that legal theory and they use it all the time in civil lawsuits right in fact if you look at any of your breach related but it's our breach related lawsuits you almost always see the words proximate cause inside of basically inside of lawsuit there you don't have to say this is the this is the hundred percent the reason this happened all you're saying that it's a much lower burden to say but for this thing happening right we wouldn't have had this outcome and so this whole hiring a CSO thing this works really

really well along this proximate cause angle right because we say but for this breach occurring we didn't have a CE so before now we had an incident we realized we needed to see so because of the incident so we hired one so it makes sense to make a part of the incident response reporting cost and and I think we can most of us can agree no it doesn't but but legally maybe that's that sounds like it makes sense right so I want to pull the audience on a couple of these here right and I'll ask for show of hands and just commit one way or the other right I'm gonna mention here notification and credit monitoring costs

right so an organization the processes PII data and some credit cards they're compromised it's believed the attacker stole the customer information from one of their databases database stolen it's not a master customer database not all customers are there and the mailing address is not present in the database right now we're altom utley gonna have to go out and do something here the order is going to incur costs identifying the mailing addresses of all the impacted customers and in the order is gonna have to mail the customers notifications they're gonna have to contract a call center because there's always an 800 number for you to call and they're gonna have to provide credit monitoring services to

you right under most state laws today does this get included in the cost of the incident how many folks say yes by show of hands now this is a very interesting case here right because and and by the way the majority was yes in the room here I'll mention here that I think this is a really interesting case because doesn't this then disproportionately disadvantage or disproportionately increase incident costs for those that have to send notifications right so if you're processing data that under state law requires you to send a notification doesn't that then artificially increase the cost of your incident and prevent us from doing an apples to apples comparison with someone that doesn't now

again I'm not necessarily saying this isn't be included in the cost I'm just kind of thrown around here and highlighting some of the problems face what about regulatory fines alright so we've got a hospital how appropriate since we're actually in a medical building right our medical education building Elise they process phot data and HHS Health and Human Services finds them a half million dollars for the for the incident should the spine be included in the incident reporting costs how many folks say yes every folks say no well the noes have it there that one was unanimous all right and again you know I'm gonna come back here and say I don't have a right answer this is not a

black and white issue all right today it's it's basically a basic a hodgepodge right so should the fine be included I again I think possibly no and I'll talk more about this we go what a lawsuits man these are more common every day right every day so an organization that processes health data they get compromised results in a loss of availability of critical pH I by the way even if your pH I isn't compromised in the sense that it's stolen by a third party if a third party can simply block access to it that is a that is a final event all right so that's actually considered a HIPAA breach as well if your doctors can't access your ph i

right doctors yeah health care providers whoever has ultimately covered on that business associate agreement or be it patients claim this outage impacted their care and they suffered injury pain and suffering and and the insurer settles a class act lawsuit for nine million dollars an organization in kirb lost productivity obviously in dealing with us lost time to trial prep because they had to put people you know through the wringer there on on doing depositions and whatnot they had legal fees they have to cover some of the nine million dollar payout with the insurer everybody has a deductible what about this is it in how many folks they in how many folks say out all right that's about even and out

about a thirty you didn't vote at all right and so and I don't blame you because this one's a hard one as well all right should we be certainly from a legal standpoint if we use the proximate cause right proximate cause side I definitely but for the incident we would not have had the lawsuit would not have had these you know these these issues right at the same time if you're in an industry that's less likely to be sued all right obviously then this skews your incident response costs alright so this is kind of what we're trying to get to you know we talk about apples to apples there's a lot today that well we have

issues with all right and this is one of our big issues so one of the ways that we and that we proposed to deal with this is that as we think more about these cost categories obviously different businesses different lines of work have different regulatory bodies they have different susceptibility to lawsuits right and certainly they have different susceptibility to breach notification costs and so we and we actually are proposing here is we proposed a 4-tuple solution to the problem where we no longer report a single number report four numbers or up to four numbers right and a four tuple or four tuple depending on which part of the country you come from we're looking at incident response costs the actual

cost to perform the incident response and we'll talk more about some things that are in and out on that a little bit later all right breach notification is a separate cost the lawsuit cost whether that's legal you know the actual legal cost deposition trial prep lost productivity and then the regular oven all ultimately the payout print potential payout and then regulatory fines right so what are we dealing with there so we've proposed a 4-tuple now you can add all those numbers together and still provide the same one number that you're providing today it just gives us some granularity around that data without having to do line-item reporting alright and this is what a lot of companies don't want to do they don't

want to come in and say look here's our let's open up the books let's open the kimono a little bit and show everybody how we perform that incident response I wouldn't want to do that for any of my customers if I were ever breached for ever breach you're all fired but if and but seriously if we have a you know if we have an incident I wouldn't want to open my books at the same time I recognize that me not being transparent with this is actually hurting our industry it's hurting our ability to perform again these apples to apples comparisons and so what we're trying to do here if we can standardize a method basically standardize a method for this

reporting what's in what's out again here without without having to do life and I'm accounting without having two giveaways potentially sensitive information all right we can still understand how we stack up against other organizations how did this breach impact us versus a breach impacting somebody else in the industry and so one of the questions that I had as I was developing this I've certainly run around with a couple of reporters and a couple other folks in the industry they've asked hey why will organizations use this in the first place and my number one answer has to be insurance I think that once we push this into the field I think insurers are going to force

people to start using this I hope that's the case right we'll see they may come up with their own standard and look if that's what happens rock on take it away from me and roll with us right all I care about is the problem gets fixed I don't care who does it and whose name is behind us right again I throw this out here knowing that people are gonna pick on it people are gonna say well I don't agree with that piece and whatever rock on at least we're starting the conversation right and I'll talk more about that kind of as we close here but you know I'll mention here that those are reporting the instant response costs

we can challenge them to provide insight into their accounting methods all right so I've got two reporters that as this goes live on Monday as this goes live on Monday have two reporters I wonder with Reuters and I'll leave out the other organization because I'm gonna give up the reporter yet but basically that will are gonna start asking hey what accounting standard did you use as they are reported when they say hey I ran some more event this cost us you know whatever $300,000 they're gonna ask did you actually use an accounting method to report this or did you make it up right and I like that and then start putting that into stories all right saying

either this number is backed by an accounting method or it's not now currently as far as I'm aware this is it right that's kind of why we're doing this here but but again if you have better ideas please take it and run with it because you know rock on all right I just care that the problem gets fixed again not who fixes it I certainly am going to encourage folks certainly my employees and others in the industry here to go ask legislators and press and regulatory bodies to demand the use of some standard accounting format right and even if you're never gonna share data externally even if you're never gonna go to the press and

say oh yeah or investors and you don't have a regulatory requirement to share the cost of your incident response at least internally use these numbers right so that you can compare so when you go to that board meeting you can say yeah look our breach was bad but it was nothing like this other one and you can actually do an apples-to-apples comparison and by the way tell them what you know and what you don't know all right today if you go up and you try to do an apples-to-apples comparison one of your don't knows it better be I don't know what accounting format they used all right and I don't know what accounting format I used either right

yeah because quote we made it all up right so I'm talking about case studies case studies of ridiculous breach cost and this is kind of what led us a couple of these actually led us to thinking about this problem specifically well that and the Atlanta ransomware thing I've got an organization whose breached they lost regulated data the regulators and the cyber insurance company asked why the organization didn't have a CCO and the organization has a policy and it's actual in writing policy that any new headcount must be funded for the first three years in the budgetary process before they hire somebody now if you're looking around at what CISOs make this is a lot of money right

particularly three years of that is a lot of money and so you know what they did they took three years of the new CSO story not just his not just his actual dollar salary but his benefits all right so all the benefits the stock options stock whatever that they have ownership options they're they're not publicly traded right but but regardless here they said okay cool right and that's what they reported as part of the breach costs this is their largest single line item this is somebody workman so I do see the line items largest single line item by far by far in their incident response that's obviously skewed the incident response northward I'm going to

tell you is by more than a million dollars right most CISOs are making a pretty fat chunk of change there right and it certainly was well over a million dollars and that pushes that breach cost up here we had a breached or what was being acquired as part of merger and acquisition and we've been doing a lot of M&A work recently fact my office is filled with stuff from a failed M&A but basically here we've got the acquisition that was complete this external capital infusion company here basically this they basically bought up a smaller company and so now we've got this larger conglomerate which is a holding company the holding company is getting a capital

infusion right and this capital infusion is not gonna give away the exact number here but let's say it's around a billion dollars over four years right so not chump change they're very very concerned about the capital infusion it turns out because of some tax law changes the company that's gonna do the capital infusion needs to do a quick right they have to do it sooner than later which means the incident response has to wrap up very very quickly right now this is an external factor here that obviously has nothing to do with the complexity of the incident if we're measuring incident response costs what we should be comparing here if we're doing apples to apples comparisons

is how involved was the actual response and that should actually tell us something about how involved were the actual attackers how sophisticated were the attackers how much anti forensics did they use we should be able to tell something from these numbers if we can't then we shouldn't care that the numbers are even being published we should stop asking for them right we shouldn't be we shouldn't even be tracking them internally if we don't care right clearly we do right I'm not obviously not not advocating for that but they needed to get this done quickly because of the tax law changes and so what they did is they put a private charter jet on standby for three weeks to fly hard

drives and equipment back and forth from the compromised site to the forensics lab now I don't know if you've looked at a charter in a Gulfstream for weeks at a time but I'm gonna go ahead and tell you it ain't cheap alright but if you need something they're faster than FedEx all right obviously there's a way to do it right if if priority overnight is not fast enough for you there's priority by g6 all right and so now I have to step back and say is this sane is this something that that helps us understand the the cost of the incident all right now the reason some of these ridiculous stories is that you know again without having seen these

firsthand right I would never look at a number like Atlanta's 17 million dollars and wonder and by the way none of these are Atlanta none of these stories I'm telling you or Atlanta but I have to wonder then without seeing that it's in the 17 million dollars based on all the craziness that I've seen before now I'm kind of like okay well what am I not seeing so here I got an org here with ransomware database for the document management system got encrypted right this is a this is a really really interesting one it turns out a CTO has been unhappy with the existing document management system for some time yes and you all know where this is going right

and so oh man I left the charter jet in there well anyway let me leave that out blood the whole copy paste slide thing as we're building the story out there there's probably one somewhere else or so I'm gonna CTO replace the document management system yay slides anyway so CTO then replace the document management system for nearly half a million dollars and included that in there this is a capital improvement that they made right where they ripped out to the Lipton ship really ripped out one system put a different system in place and they were like yeah that clearly I mean and and from a legal standpoint I want to come back to this as ridiculous as this is

but for the incident that took the existing document management system offline they would not yet have made that change right you know Lana's case but for the ransomware that finally made them come into the 21st century and deploy EDR on their systems right they wouldn't have needed more powerful systems to run day to day ops along with the EDR software right so again from a legal standpoint this might actually pass muster right from a common-sense standpoint from a does this help us understand the numbers cuz now I got a half million dollars jammed in here right jammed into my incident response cost that has nothing to do with the incident all right so I don't look at

number four here we've got an organized by a struts vulnerability this was not Equifax for you before you guess because I can't say struts today whether somebody like Equifax right anyway so the org decided that they don't want to rely on any Java frameworks now I gotta tell you I don't actually disagree with this I think Joba I think job is a lot like the Hindenburg right airship travel largely stopped we had safe airships right and and even the Hindenburg at the time was known to not be a safe airship but you can't get people on safe airships and the reason for that is because they all saw that movie real right even back in

the in the 1910s here they all saw the movie real of people burning up in the Hindenburg and they're like nope not me that take my toys I'm going home I'll find a different way to fly all right and other people like no no it's safe this one's safer and this reminds a lot of Jabba we're like hey don't worry about all the stuff you saw before this Java is better right and consistently we're finding out people are still crashing and burning with it anyway the organ decides that they don't want to use Java anymore and they say hey this is unacceptable risk I'm all about the whole risk modeling thing at threat modeling I like this the order decided

to go refactor the application and modernize it and rewrite it using the rails framework and I won't get into security issues with rails but that's a whole separate topic for another time it's not necessarily better okay it actually is better because the alternative was Java but the cost for refactoring the application deploying and this is the one that blew me away training the staff on the new workflow mind blown right this is a big organization and they had thousands of staff that they trained on the new workflow in like 16-hour like two days sessions on how to use the new system internally all right this is a this is a core piece of their business and they

trained thousands of staff on this and counted all that lost productivity time as part of the incident response now you got to step back then and say and this is why I'm telling the reason I'm telling you this is say when you see these numbers in the press they are absolutely meaningless today all right if I came in and I offer the spine gentleman up front I don't know your name or anything what's your name wrong if I came in and offered ROM ROM are you looking for a job not really but but for the right amount of money you come work for me all right I mean there's there's got to be and everybody's got a number

right and if I came in if I came in and I told you that I'd give you 3 million flintlocks to come over and work with me today would you Flynn Parkes no right exactly all right so at 3 million Flint Park sorry I mean you wouldn't and why because we don't know what a flume Park is all right so if on the other hand I said I'll give you three million dollars asterisk asterisk on the backside there to come work for three million dollars a year severed certain terms and conditions are you good do we have a deal we've got a deal without knowing what the terms and conditions are that's a bad plan right

and so when we start talking about numbers here right it's easy to throw a number out and be like Brahma but without context what is a flume floor what are the terms and conditions we don't really know all right in the terms and conditions in in our Westland hypothetical examples here are well what the heck is going on on the backend Karine what what are people putting into these numbers so number five here Orbis compromise fails a detective for more than 18 months it's obvious obvious that log review would have detected the intruder almost immediately all right so 24/7 sock makes all the difference in the world the org first decides finally decides eNOS em and they go purchase it

using instant response money and then the order realizes the SEM only works that some monitors it so they hire a 24 by 7 sock and so what they do then is they take all this technical debt because that's what all this is all right they didn't have a sim and then they put a sim in place and it cost them I think around 280 something like that thousand dollar and then they realized that 280 thousand dollar investment doesn't really matter if they don't use it what are the odds right and so what they then went ahead and did is they said okay we need a sock to handle all that right that wall gagra Gatien isn't

magic right somebody actually has to monitor for alerts and what do you know all right anyway so why don't talk about a couple of principles here all right that we look at for for abracadabra it's that only items directly related to the incident can be count an incident cost reporting instant response remediation cost should not be used under any circumstances to cover up for technical debt if the organization has failed to use basic security best practices or even IT best practices is the case commonly commonly is all right you don't get to cover up those failures in an incident response plan that's again what we're watching the city of Atlanta do right now a lot of people come back and

like hey man our staff was horribly underprepared for this we need training I awoke a training is technical dead as well right training is a regular line item you need to be budgeting for every year all right whether it's internal training external whatever you're doing they're right you need to be doing the training anyway so as we look there we want to make sure that that we've got that got included but but not in the actual incident response reporting budgeted for yes included our incident response no right I work with sans I know a company that after they got breached one of the things that they did is they went out and bought I think around a million

dollars worth of vouchers from sans and of course that also got included their instant response calls right so while I love to see their people in my training I kind of step back and I'm like you're living a lie right now I don't blame any of them right they're not responsible for any of that but but the reality is right they're there because of the incident now I'm not knocking at either I think it makes a lot of sense look if if I consistently when I left my building at night I love to walk around the park or walk around the track of the park across the street from our from our building if every time I went to walk

over there I got my butt kicked by somebody right somebody came out and mugged me I would do one of two things either stop doing it I can't just stop doing business right so in the business analogy it doesn't work or go take karate lessons right I go figure out a way to go remediate that right but I wouldn't build those karate lessons back to my company right and I think that's kind of where we're coming back here right now in this case the company pays for the training no matter what but now we're kind of stepping back and saying from which pot of money does that come all right all the way it's gonna be the incident or sorry the yes

security team in most cases anyway that's gonna get that budget right but now again we're trying to come down and highlight the highlight that apples to apples comparisons so their numbers were meaningful and so this is another big one for me you can't skim coffee you have to report all costs not some costs all costs directly associated with the incident right don't report costs for replacing infrastructure even though it was old alright this is another favorite of ours we've done I don't know how many now where we get the incident there I oh oh Server 2003 and then they're basically uplifting replacing the hardware replacing the software refactoring applications and you know because I got to replace this stuff

because we can't patch it and it's like dude you couldn't patch it the week before the incident the only thing that's change is that you've got budgeting available now and again there's nothing wrong with taking advantage of budgeting you should do that you should just be honest about where that money's coming from all right again don't report it as part of the incident you're robbing the industry right so I'm just you you're not just lying to yourself you're robbing the industry of data and come back here note that the cost for training never ever ever fall into incident response costs ever even if sap doesn't know how to do an incident response by the ways a

horrible plan don't do this but I've seen it done don't schedule your people for the next sans incident response class like if you get breached on Thursday you discover the compromised on Thursday and you find out your people can't do their own incident response don't fly them to a 508 incident response class starting on Monday so they can learn how to do it and fly back the next week and assume they're gonna do Incident Response all right that is not gonna happen although I've taught that class I've taught those people and gosh if that happens to you quit just quit right go find another job someplace where people don't want to abuse you that happened to you oh quit after the class

yeah I that totally wrong god I mean get the training and then quit whatever that sounds ethically questionable but don't report costs for refactoring existing in-house applications to resolve security issues I feel like I shouldn't have to say any of this but again I didn't have to dig deep to grab those six stories of fail right it would be really easy to go grab 600 stories of fail when it comes to cost accounting penetration test oh my gosh we'd love to do red team work we love it and we love to do pen test work but but you don't get to count those costs either right now I know during an incident and by the

way this is actually a best practice that I don't have a good data for right if you get breached if you get hit all right somebody compromises you and they steal your data you definitely had an unresolved security hole and if you didn't know about that from a previous pen test perhaps because you've never had one then it makes sense that someone should look for other holes in your infrastructure all right this is my wife loved use the skin cancer analogy again I mentioned I'm a medic definitely had some medical training back in the day and if you ever get diagnosed with skin cancer right I'm just gonna tell you it is a it is a very interesting visit all

right and you get to go in and drop trou and go completely naked and they look at every fold of skin everywhere in your body right they're looking all over the place they're making sure because because skin cancer is tough to eradicate like attackers and our bodies are amazingly complex than the skin is the largest organ in the body and all that stuff and and they will go fold by fold including the ones you would prefer not to expose looking for other evidence to skin cancer you should get a pen test right you shouldn't call it part of a breach response part your incident response right this is good practice right I likewise the doctors don't put

that exam under their bill for chemotherapy because again that's not providing good data back to our insurers now doctors do all kinds of other nasty stuff with cost accounting we're not getting into but yeah anyway so let's talk about the incident cost breakdown what's acceptable what's not our friends of media costs all right this is a this is a great example here we're actually dealing with this somebody dropped a backpacker trailer up to her office a couple of weeks ago and dropped off a data center and I so wish I was making that up but but I'm totally not and they apparently had had a incident and they they basically a company that acquired them set up we don't need to investigate

that and so they went ahead and replaced all the equipment this equipment was stolen to release the old equipment and sitting in a warehouse someplace and so they just came and dropped it off and I hey good luck with that or like Haiti I've IT people that IKEA we did but we were really happy as we fired him we have Network Maps they're like yeah I think so they're around like a 150 or 200 VMs I'm not really sure running on these computing servers and I'm like are you kidding me all right so we've got all these sand units now all right I've got a bunch of sand storage area network units sitting around and now I have to

kind of step back and say how much media are we really gonna buy for this instant response now if I just need to capture a couple of machines that totally makes sense right if on the other hand you have this weird one-off scenario I'm confident that I can work my entire career and I will never have somebody back up to my office with an 18-wheeler again and drop off a data center I'm confident that's never gonna happen again if it does I quit and so I own the company and I quit but look vast majority of cases I shouldn't be going in buying forgery network appliances amir the sand from one to the other to do today to

analysis i think it's a bad it's a fundamentally bad plan all right now well from a data preservation standpoint it's an awesome plan and if you're thinking i've liked more a storage area network appliances it's a great plan to go and jams hardware upgrades into your incident response costs right so here's a spot where even something simple like forensic media alright the media we need to preserve data alright cuz I'm certainly not gonna one-off image drives because there are hundreds and hundreds of hard drives and they Santa rays I'm not gonna image those off one at a time and and be like well let's hope we rebuild that raid and software that's not gonna happen that

that's just that's that's just bad alright so again even something as simple as our friends of media costs in or out a tough problem I'll go ahead and say that I think the reason nobody's tackled this before is because it's a tough problem what about a SEM it's hard to investigate incident without a SEM we know this all right we do a lot of incident respond frequently and this will not surprise you many compromised organizations don't have a SEM to correlate logs I think there's a strong correlation here not a causation necessarily there's a strong correlation here what about a SEM deployment should we include that as part of the incident costs yeah yeah if it's used to help

determine the scope of the incident probably yes maybe yes I mean what if we just try to deploy it temporarily no no ok there we go yeah so what if we just need to deploy it temporarily right so this is kind of where I draw the line if it's just being used to go in and do a data analysis for the incident we can do a Dropbox of Dropbox the company but but drop a box in place and work with a little less horsepower I think those costs are appropriate for the instant I don't think a long term half-a-million-dollar SEM deployment with lots of pros serve hours and all kinds of I don't think that's

appropriate alright so again these are all questions that we as a community need to answer that's part of what the abracadabra framework is trying to start what about temporary EDR installations this one's another really interesting one here the organization doesn't have endpoint detection response so they're having a hard time getting visibility into their endpoints what do you do now right now clearly the answer is let's go to ploys to meet er right but do you buy full your licenses five-year licenses 90-day licenses I mean do you gravitate to an EDR that specifically works with or is designed for this type of temporary installation for instant response and so again as we start looking at some of these costs as some

stuff I just want to highlight as you know part of the why this is a hard problem I guess and so on throw out a call to action finally I'll mention here first off consider submitting your own breach horror stories I think the more look even without naming I think there's a lot of shaming that goes in here right as this video goes online and people are laughing about this the next time that you know because everybody laughed about the seaso example the next time that somebody tries to pull that stunt pull those shenanigans right and then you pull up the YouTube video and you're like dude here's a room full of security professionals laughing at you laughing

at this idea I think that's a powerful deterrent I think it's a seriously powerful deterrent so I suggest submitting your own breach horror story share those right now again don't compromise an NDA don't do anything that's gonna cause you to lose your job or get sued right but but in the abstract talk about some of this stuff right as you review the framework if you come in and take a look at the framework you think we've missed something let me know what you think for sure if you have questions about a specific cost or whatever submit them over here we'll try and get you an answer back in five working days basically it appropriate to use this or

report this as a particular cost good to go call to actions number two here I'll mention that if you have an incident use some accounting framework right again we were unable to find anything other than this which is why this is the thing now but you know if some other accounting framework exists or you build a different one or whatever use it when you hear about an instant in the media where the costs are reported just ask ask the person who wrote the story ask the person telling you when I - we had this breach maybe you're networking over here like it was ten million dollars and ask them hey did you guys account that with some

accounting method or did you just make stuff up I always like to throw in the back side of the or just make stuff up right because it really highlights what we're doing right I also have a similar opinion by the way that every time we discuss eternal blue in the press we absolutely and wired does this by the way they actually have an editorial standard that when they use the words eternal blue right after it says , the leaked NSA poit right because I don't think we should discuss stuff like this without forgetting where it came from likewise here I don't think we should be discussing numbers without actually discussing where those numbers are coming from and how we're gonna deal

with those and then try to make database decisions in InfoSec make sure that we're working with a religion and not science so if you want to help with this we're gonna publish this publish this shortly after the short layups of the presentation here I'll get up and throw the web page up there or activate the web page there and you can download what we have for the framework so far I'll go take a look at this tell us what you think tell us what we've missed or I am positive I'm positive that other people have incident response experience is different from mine that are probably you know cover things that we never even thought of because we never experienced

this right again I've been working instant response a long time three weeks ago is the first time somebody ever dropped off a data center and said hey we know it's all turned off but let's go do forensics right it's never happened before I doubt it'll ever happen again you probably have other weird scenarios like that in case anybody's curious that's out that's the technical debt right dropping off or contractor and tractor-trailer to bring in your you already made the big mistake there that that that whole cost is is out you created a situation that said that's all I've got other than prizes door prizes right what am I supposed to do or the door prizes

just like arbitrary is it arbitrary I can just give them away for I mean for whatever I guess huh I tell you what I'm gonna throw my a little walk screen up here well that was the plan let's try their hot corners now of course hot corners aren't gonna work why would they work I'll give you a choice surprises if you can tell me what this means pop pop rat sir all right yeah it does pop off the stack and return but why what's the pop hop rat thing anybody know X ooh close any particular function call okay we'll go to easier questions so the structure exception handling for anybody that's curious so Windows seh

exploits right Oh Jeff you knew this why don't you raise your hand or did you and I missed it it wasn't fair okay it was like shooting fish in a barrel what Jeff said anyway so let's see and throw out a question here I don't have good questions for this here you do this right I'm gonna I'm gonna bail you can get about prizes all right there we go okay I appreciate everybody coming out this guy's gonna go out some prizes right