So as someone who runs and trains cyber incident response teams. Where a big focus is on MMTx and reducing chance for adversary breakout times. Which are gonna get worse thanks to AI. This paper was actually part of me calling the approach Formula One IR.
Specifically about getting people joining the IR to already have their assigned speciality and first moves ready to go and to begun, as a way to support the incident handler. There's really big benefits to studying the metrics of specific incidents you have to the minute by minute level. So much time saving to be made, accuracy to be enforced and duplication to be reduced.
You can find there's less time wasted in an incident dividing out jobs or lost go inevitable context switching to join the incident. There's already searches, people and clarity about what should mostly likely be done in the first few mins, even though the plan will change and details initially are probably scare. It's really effective and cuts MMTx down a huge amount.
Obviously then the handover itself is a vital part in IR to get done accurately and with speed. So that flows into all of the above. It's a really good paper for thinking through workflows
It may also be relevant to study what in aviation is called MCC, Multi-Crew Cooperation. That's all about catching errors and making decisions under pressure as a team.
For example, two crew in the simulator, one as captain and the other as first officer, with some external resources like a dispatcher on the ground and air traffic control. The scenario is a flight over high terrain with zero visibility, the trainer then introduces a failure for example an engine fire with inability to maintain altitude.
You could as captain start making decisions immediately but you'll then loose the input of your FO and not optimally use the resources you have. Or you could start a long conversation together about what to do, but you would crash into a mountain (or burn) due to being too slow.
MCC is about how to get the team on the same page quickly, avoid tunnel vision and rushed wrong decisions, while being fast enough to deal with the problem. And making effective use of outside resources like air traffic contol. Of course it's quite aviation specific, but there are several concepts that work in other areas as well.
Yep totally. It's something I've incorporated. Especially where the main incident commander gets overwhelmed with decisions, tunnel vision or distraction. For example getting trapped into threat hunting rather than commanding.
I actually think most cyber incident responder training for the commander is pretty weak because it doesn't do a great job of instituting the stress element. Physical security training does it in a much better way. The result is the need to create custom stuff. Because some shitty off the shelf big vendor table top or similar ain't gonna do it.
Exactly, it's that overwhelmed state with resulting tunnel vision or chasing the wrong thing that is so common in aviation incidents. If you have a big issue, the ECAM screen lights up light a Christmas tree. There is logic in the system to ensure messages are prioritised, but in the end the humans still have to systematically figure out what's going on.
What causes more issues in flight is that you have to maintain control of the aircraft while determining the issue and making a plan. Which in zero visibility doing manual flight has a significant mental load by itself, so if the automation is affected by whatever issues you have, one crew member can't sit back and 100% think.
It's probably hard to simulate that extra load/stress for cyber incidents. For MCC training it's done in a flight simulator so all the noise, alarms, and having to maintain control is there.
It has the kind of buzzwords to get executives to buy in, who will then force it on their employees. I mean, if you offered a CEO an "Enterprise AI Browser," it feels like the sort of thing they'd salivate over. Then they can go tell the investors that they're AI now and line can go up.
Undoubtedly. If you go poking around most any security product (the product I was referring to was not in the EDR space,) you'll see these sorts of issues all over the place.
It does not have to be the way it is. Security vendors could do a much better job testing and red teaming their products to avoid bypasses, and have more sensible defaults.
The counter argument is that Google doesn't maintain any of those services beyond the bare minimum for customer facing interactions, and exchanges between their services are even more poorly supported if they even exist at all.
Remember Google Sheets (already the Tonka Toys of spreadsheets) adding named tables to Sheets?
You can't use them in any of the AppsScript APIs. You have to fall back to manual searching for strings and index arithmetic.
Google Drive still barely supports anything like moving an entire folder to another folder.
They have failed at least a half dozen times now to deliver a functional chat/VOIP app after they already had one in Google Talk.
They regularly sunset products that actually have devoted and zealous user bases for indiscernible reasons.
Android is just chugging along doing nothing interesting and still carrying the same baggage it did before. It's a painful platform to develop for and the Jetpack Compose/Kotlin shift hasn't ameliorated much of that at all.
Their search offering is now worse than Bing, worse than Kagi, and worse than some of the LLM based tools that use their index. It's increasingly common that you can't even find a single link that you know an entire verbatim sentence from via Google search for inexplicable reasons. Exact keyword or phrase searches no longer work. You can't require a keyword in results.
I don't trust Google to deliver a single functional software product at this point, let alone a compelling integration of many different ones developed in different siloes.
About the only thing going for them is how many people still have Gmail accounts from that initial invite only and generous limits campaign... 20 years ago?
Google is not a healthy company. I don't invest in them anymore, and barring some major change I probably won't again. It's a dying blue chip which is a terrible position to have your money in.
P.S. oh, and Gemini is awful by comparison in both price and quality to competitors. It isn't saving them. It's just a "me too".
P.P.S. I'm personally just waiting for their next "game changing" announcement bound to fail to get in at the top floor on shorting what stock I have. It's one of those cases where finance has rose coloured glasses based on brand name that anyone who's used Google products for years would be thoroughly disabused of.
There are so many opportunities for google to improve their services.
For example, I found myself asking Claude about places to see in a city I’m visiting while switching back and forth to gmaps. This would have been a much better experience integrated directly with gmaps knowledge graph
Failed country? By what measure? One of the highest GNPs per person, one of the most democratic, one of the highest winners of novel prizes for literature per population, one of the safest countries in the world, one of the most food secure countries in the world, overall very good and mostly free health and education, a high redistributive tax system, friendly people, easy place to work...
Specifically about getting people joining the IR to already have their assigned speciality and first moves ready to go and to begun, as a way to support the incident handler. There's really big benefits to studying the metrics of specific incidents you have to the minute by minute level. So much time saving to be made, accuracy to be enforced and duplication to be reduced.
You can find there's less time wasted in an incident dividing out jobs or lost go inevitable context switching to join the incident. There's already searches, people and clarity about what should mostly likely be done in the first few mins, even though the plan will change and details initially are probably scare. It's really effective and cuts MMTx down a huge amount.
Obviously then the handover itself is a vital part in IR to get done accurately and with speed. So that flows into all of the above. It's a really good paper for thinking through workflows
I must get around to writing it up some day.