EP222 From Post-IR Lessons to Proactive Security: Deconstructing Mandiant M-Trends

Topics covered:

• What is the hardest thing about turning distinct incident reports into a fun to read and useful report like M-Trends?
• How much are the lessons and recommendations skewed by the fact that they are all “post-IR” stories?
• Are “IR-derived” security lessons the best way to improve security? Isn’t this a bit like learning how to build safely from fires vs learning safety engineering?
• The report implies that F500 companies suffer from certain security issues despite their resources, does this automatically mean that smaller companies suffer from the same but more?
• "Dwell time" metrics sound obvious, but is there magic behind how this is done? Sometimes “dwell tie going down” is not automatically the defender’s win, right?
• What is the expected minimum dwell time? If “it depends”, then what does it depend on?
• Impactful outliers vs general trends (“by the numbers”), what teaches us more about security?
• Why do we seem to repeat the mistakes so much in security?
• Do we think it is useful to give the same advice repeatedly if the data implies that it is correct advice but people clearly do not do it?