“Living Through a Security Event” is a practical, experience‑driven presentation that walks organizations—especially K‑12 districts—through the realities of preparing for, responding to, and defending against cybersecurity incidents. It emphasizes legal considerations, communication strategy, cyber‑insurance obligations, and modern attack behaviors.
1. Legal Considerations & Communication
The presentation consistently reinforces that organizations must work closely with legal counsel—especially those with cybersecurity expertise—to avoid missteps. Critical terminology (e.g., “breach”) has legal implications and should not be used without advice. Clear communication protocols are essential: decide who speaks publicly, what is said, and maintain a single coherent narrative.
2. Incident Response Planning
Three types of organizations are described:
- those without a functional incident response plan,
- those with a flawed plan, they adapt on the fly, and
- those who revise their plan after every event.
The most successful are those who refine their IR plans through continuous learning. Knowing reporting obligations, especially for NYS and regulators, is essential.
3. Cyber Insurance Requirements
Cyber insurance policies often mandate specific procedures, preferred vendors, forensic requirements, and immediate reporting. Failure to follow policy requirements—or to report even minor events like business email compromise—can jeopardize coverage. Full claim payouts may take nearly a year.
4. Modern Attack Patterns
The presentation explains how attackers gain footholds—commonly on holiday weekends—and how advanced threats “live off the land,” using built‑in tools instead of malware to evade detection. Bots often establish persistence before executing commands. Attack vectors include misconfigurations, compromised endpoints, privilege escalation, and techniques like Pass‑the‑Hash.
Once attackers obtain domain admin rights, a full‑network compromise may occur within 4–8 hours.
5. Defense Strategy: Reducing Dwell Time
Defense is framed around minimizing dwell time, the period during which attackers operate undetected. Traditional endpoint protection is insufficient against modern behavior‑based attacks. The presentation urges organizations to implement layered defenses that force attackers to be “noisy,” increasing the likelihood of detection.
6. “Noise‑Making” Security Controls
Recommended defensive measures include:
- DNS enforcement and filtering
- Rigorous patching of OS, browsers, and third‑party apps
- Eliminating unquoted paths
- Restricting users to limited permissions
- Using LAPS, PAM, and application blocking
- Monitoring RDP/RAT usage
- Continuous vulnerability scanning and behavioral monitoring
- Ensuring complete endpoint protection coverage
The goal is to complicate the attacker's progress and expose malicious behavior earlier.
7. New Defensive Capabilities
Additional tools—SOC oversight, cloud‑based monitoring (Google, M365), syslog collection, AD auditing, and vulnerability management—provide critical visibility into suspicious activity, especially in the “white space” traditional tools miss.
Watch the presentation here.
You must be logged in to post a comment.