“Incident Response is not a witch hunt”
This series aims to demystify careers, challenge stereotypes, and inspire connections. Today we talk with Russ Rogers, Senior Consultant on Microsoft’s Detection And Response Team (DART).
Incident Response (IR) is the process by which an organization addresses and manages the aftermath of a security breach or attack. In his life before joining Microsoft‘s Detection And Response Team (DART) as a Senior Consultant, Russ Rogers was Chief of Operations at DEF CON Communications, ran a Network Security degree program at the University of Advancing Technology, and founded a security research organization — just to name a few hats. He continues to serve as a training review board and volunteer coordinator for Black Hat conferences around the world.
Russ, what exactly do you do?
I help our [Incident Response] team take control of the situation, making sure all the data is collected, and that we have the right mix of skill sets on the ground. I’m also responsible for talking customers off the ledge and helping them understand that it’s not the end of the world. I track on-site activities, sample requests, forensics results, and correlate the data to provide useful feedback and deliverables for our customers.
You work with different types of executives in high-pressure situations. What advice can you share for leaders facing an incident?
It’s so important to avoid turning an incident into making it a blame game. We don’t want to go through a whole engagement just to find out who was responsible for the initial compromise or who made the configuration error. Our work is to triangulate [the issues] within 1–2 weeks and get customer securely back on the ground, so they can protect their environment and get back to business.
Leaders have to understand that it’s not a witch hunt. We’re here to get a handle on of the situation and get them operational again, quickly.
What are 3 qualities someone needs to be successful in your role?
- Patience and perception. Working with customers, you need to be able to read the psychological and political environment, understand the people in the room and their motivations.
- Technical know-how. Being a team lead is not a technical position, but when I’m in the room with CEO, CTO, and their senior tech people, I often fall back on my background in penetration testing, red teaming, and exploit development because it provides an added level of credibility and trust.
- Organizational skills. For example, with a list of 20 forensic images or samples, I’ll help guide the team to look at the top 3 — we’ll have a conversation, but I need to set priorities so we move efficiently, and reach our objectives in a timely manner.
How does your interest in game development intersect with your work?
My interest in game development started when I read Ready Player One (the book is way better than the movie, by the way) and Snow Crash. The brain instantly understands visual information in great quantities, whereas logs on large networks are just lines and lines of text.
I wanted to prove I could create a network in a 3D game world and put in real-world information and an interface where we could run hacking commands but also instantiate every object in the network by hitting a button. I have the HoloLens now, and am hoping to play with it more.
Recommend one security “New Year’s resolution” every business should adopt.
Multi-factor authentication (MFA). Humans tend to naturally reject change or perceived increases in difficulty of day to day work; and MFA adds another step, but it’s important to control credentials.
Do you have any New Year’s resolutions of your own?
Meditate more, and take things less seriously. Life is short.
Lastly, please settle a debate: Is a hot dog a sandwich?
Yes. It’s meat between two slices of bread.
For more, follow Russ on Twitter and LinkedIn, or check out the many books he has authored, co-authored, and tech edited.
