Minimizing end-user disruption during incident response on macOS

Incident Response is not a question of whether, but when. And while excitement is high while the incident response team is actively investigating, the IT organization will be dreading the clean-up effort, the end-user education effort, and most importantly the helpdesk tickets about the impact to the end user’s productivity. While organizations are focused on reducing dwell time of attacks and quickly remediating, we generally don’t look at the metrics of end-user impact. Even less frequently do we discuss this for end-users using Macs, though these end users often have higher expectations on their device experience and privacy than those using Windows devices. In this session, we will discuss the importance of keeping a focus on end-users during incident response and how to best structure incident response processes to minimize that impact. We will propose an expansion of the metrics most SOCs track that go beyond the baseline of security effectiveness but start to consider the impact of an incident to the organization. From there, let us explore how IT and Security teams can work together to simplify and automate much of the investigation, isolation, and remediation of an attack on macOS while being respectful of the end user’s privacy and productivity. By simplifying and codifying the most common types of inquiries to automatically gather information, much of the manual work of investigating an incident on a Mac can be removed even if the device is outside of the organization's environment. Once the investigation is complete, security can then leverage IT tools to allow for end-user re-education and drastically simplify clean-up. If we can keep an end-user productive during an incident, isolate the attacker, and quickly remediate the attack without interrupting the end-user or asking them to give up their Mac for “cleaning,” then organizations can become more effective and efficient with our resources overall.