Monday, October 22, 2012

Managing Up

It's always amazed me how a high profile incident seems to turn up management and executives in an incident response environment.  When a serious incident hits, everyone wants to hang out with the incident responders, even people who one might never see day to day.  In these type of situations, managing up is key.  Management and executives have the best intentions, but they don't work with the data day to day, and their technical skills may be a bit dated.  Suggestions on how to proceed, what analysis to do, and how to do it will fly at an incident responder faster than he/she can process them.  Unfortunately, many ideas that seem good in theory are not good ideas in practice.  The volume and variety of data makes finding the right approach tricky, and many behaviors that seem like they would indicate malicious activity don't.  Trust your senior team members and manage up in the best way you can.  Your team will be more productive because of it, and your senior team members will thank you for it.


When performing incident response, focus is extremely important.  A significant incident can produce innumerable leads and avenues to investigate.  Unfortunately, not all of these leads/avenues are productive ones.  Choosing poorly can have the unintended consequence of locking up resources for days while producing very little value-added analysis.  It is often difficult to know which direction or directions to go in analytically.  In my experience, senior members of the incident response team, who base recommendations on past experiences, lessons learned, and day to day familiarity with the network and its data have good advice to offer here.  That being the case, I've always wondered why management ends up driving high profile incidents.  It's a bit of a wonder if you think about it....