In this sponsored BDS episode, Bryan Brake and Amanda Berlin interview Emily Eubanks, a Security Operations Analyst for #Blumira. We discuss common business risks like IT staff turnover, a lack of Incident Response procedures, choosing not to follow PowerShell best practices, and MFA use for critical or sensitive applications. We also discuss ways to improve security posture to mitigate these risks as well as how Blumira can help organizations in light of these common business challenges. ADDITIONAL RESOURCES   OUR REDDIT AMA https://www.reddit.com/r/cybersecurity/comments/qao73j/we_are_a_security_team_with_20_years_of_ethical/    MFA https://attack.mitre.org/mitigations/M1032/  https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984  https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/    INCIDENT RESPONSE https://www.nist.gov/cyberframework/respond  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf    POWERSHELL BEST PRACTICES https://www.blumira.com/analysis-of-a-threat-powershell-malicious-activity/  https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/learn-script-security  https://devblogs.microsoft.com/powershell/secrets-management-module-vault-extensions/  https://www.reddit.com/r/PowerShell/comments/g3b9h5/how_are_you_managing_secrets/    RISK: A lack of MFA where available or using SMS based MFA for critical applications. Please do not use SMS based MFA for critical applications. [6] [7] This is an easy layer of defense that has historically been very effective [5] One-Time Passwords (OTP) good but [8] FIDO U2F better Consider hardware tokens (e.g. Yubico YubiKey, Google Titan Security Key). MITIGATION:  Blumira requires use of MFA MFA related detections (e.g. AWS, Duo) BLUMIRA HELPS:   Incident Response Procedures   RISK: A lack of Incident Response Procedures or the decision to postpone incident response procedures because they would result in a disruption in service typically results in unfavorable outcomes. A written plan that identifies the roles, responsibilities, and procedures that should be set in motion once an incident has been declared.  If this is overwhelming to conceptualize, know there are a good amount of free and openly available resources already in existence to help with creations of new IR plans >> I highly recommend looking at NIST documentation to get an idea of what is possible and then scale to what is appropriate for your organization [4] The plan should be reviewed at a minimum once annually with everyone who is responsible for responding to incidents present. If anybody is unclear with their role, responsibilities or procedures then the Incident Response lead should work with them to get them there.  Incident Response procedures should be like a fire drill so that when there is a real fire, the team can work together to quickly put that fire out and minimize impact to the company and their customers. (Shoutout to the BDS podcast on drawing connections from fire fighting to Incident Response procedures with Dr. Catherine J. Ullman (@investigatorchi)) MITIGATION: Workflows Blumira helps with this by providing built-in guidance with workflows. Workflows ask direct questions and provide specific options to record responses to security findings to guide practitioners towards a conclusion. provides additional details to help operators make informed decisions in response to new findings. Finding analysis  BLUMIRA HELPS:   Recent or Frequent IT Staff Turnover   RISK: impedes troubleshooting logflow and/or investigations due the a lack of familiarity with the network environment Prevention might be the best solution? Giving your workers time during the work week to improve a work related skill can help identify when a team is reaching or exceeding their resource capacity. If your team is overworked they are more likely to make mistakes, will be less prepared to go the extra mile when it