Podcast 158 question for John Solomon

Great podcast! thanks. I agree ephemeral artifacts are more challenging when it comes to IR. A couple  questions for John Solomon.  

Q1: When doing IR in the cloud when do you consider a security event an incident? and is that different in the cloud vs. on prem.?

Q2: The security community is struggling to do even monitor ML environments. Part of it is they are trying to understand the technology and what they need to do for basic monitor.  There are a few project around like NVIDIA's Morpheus on github so my question is when it comes to IR around MLSecOps what does malicious look like from your perspective?  And what design requirements do you ask the data scientist to build in when it comes to doing doing IR in ML in the cloud? thanks!

1 1 100

I think the event vs incident discussion is really interesting. I've certainly met teams that have come to see cryptomining as just another event, rather than something that requires full incident response engagement. I'm not sure there's a standard approach out there yet, would love to hear from others on this one. 


Probably early days for answer the IR for ML question, but I can give the standard IR answer of make sure you've got logging enabled and reasonable log retention capabilities!