WEBVTT 00:00:00.920 --> 00:00:04.690 The final step in this incident response and incident management 00:00:04.690 --> 00:00:09.250 module is to review what we learned from this incident. 00:00:09.460 --> 00:00:14.690 In other words, we conduct a post incident review and apply lessons learned. 00:00:16.600 --> 00:00:19.550 When we review, we should look at what went well. 00:00:19.750 --> 00:00:22.450 We certainly want to continue the things that went well, 00:00:22.930 --> 00:00:28.360 but we also want to do a very truthful and a 00:00:28.360 --> 00:00:31.240 self‑assessment of what could be improved. 00:00:32.250 --> 00:00:36.380 We want to know who demonstrated competence and the appropriate demeanor. 00:00:36.630 --> 00:00:40.510 Did people get angry and argue during the middle of the crisis? 00:00:41.160 --> 00:00:43.810 Who were the ones that displayed leadership, 00:00:44.090 --> 00:00:49.480 the ability to make good decisions, rational decisions, in the middle of chaos? 00:00:50.370 --> 00:00:53.990 One of the things we'll sometimes do is we'll do a review right 00:00:54.000 --> 00:00:57.490 following the incident when the emotions are still high, 00:00:57.570 --> 00:01:00.650 everybody's still a little bit so you should say, 00:01:00.650 --> 00:01:03.650 agitated, and that's often called a hot wash. 00:01:04.349 --> 00:01:07.130 Let's hear, right now, what happened. 00:01:08.360 --> 00:01:10.450 The next step is to do a cold wash, 00:01:10.890 --> 00:01:14.230 to go back later and look at it in the cold light of dawn, 00:01:14.230 --> 00:01:17.270 and now that people have had a chance to recover, 00:01:17.270 --> 00:01:20.620 think about it, and sort of say, okay, 00:01:20.840 --> 00:01:24.670 what do we think now that we've had a little more time to reflect on it? 00:01:25.250 --> 00:01:29.020 Both are important because sometimes in the cold wash, 00:01:29.020 --> 00:01:32.570 we can have lost some of the things that we knew about at the time. 00:01:33.210 --> 00:01:38.080 But in a hot wash, we didn't use always the most rational thinking either. 00:01:39.790 --> 00:01:43.440 The idea of lessons learned is to improve our preparation, 00:01:44.350 --> 00:01:47.140 improve our plans, improve our teams, 00:01:48.140 --> 00:01:51.280 make sure we have the right tools and training that are needed, 00:01:52.000 --> 00:01:55.830 improve our prevention through things like enhanced 00:01:55.830 --> 00:01:58.840 controls and improve our detection. 00:01:59.380 --> 00:02:03.110 I remember talking with one company that had a major breach, and as they said, 00:02:03.520 --> 00:02:05.960 the one thing that they learned was they weren't 00:02:05.960 --> 00:02:07.850 even monitoring the right things. 00:02:08.220 --> 00:02:10.199 They had monitored many things, 00:02:10.350 --> 00:02:14.740 but they didn't monitor the things that would have told them about that breach. 00:02:15.490 --> 00:02:19.700 And certainly, we have to look at whether or not our containment really worked. 00:02:19.830 --> 00:02:22.840 Was it an effective response? 00:02:24.340 --> 00:02:29.730 A lot of this comes down to awareness, letting people know what we can learn, 00:02:29.730 --> 00:02:30.980 what they can do, 00:02:31.250 --> 00:02:37.120 certainly making the whole situation alive for them as well and address the 00:02:37.120 --> 00:02:40.920 lessons learned through our various awareness sessions. 00:02:42.290 --> 00:02:46.420 One of the things is that we want everybody in the staff to be 00:02:46.420 --> 00:02:51.110 a part of our security team and have a security culture so they 00:02:51.110 --> 00:02:55.340 are conscious of the types of threats that are out there and 00:02:55.340 --> 00:02:56.800 know what to watch for. 00:02:58.130 --> 00:02:58.990 In summary, 00:03:00.060 --> 00:03:03.640 every incident contains key learning points that 00:03:03.640 --> 00:03:05.480 the organization can learn from. 00:03:05.750 --> 00:03:12.060 We often say the problem is trying to extract those small little flakes of gold 00:03:12.070 --> 00:03:16.530 from the mountain of rubble of the actual incident itself. 00:03:17.140 --> 00:03:20.390 We want to improve our incident response so we're 00:03:20.390 --> 00:03:22.900 better prepared for future incidents.