POSTMORTEM: The Great Outlook Incident Of Q3

A reconstructed incident report, obtained by Cybersecurity Smith.

Severity: SEV-1
Duration: 4 hours, 17 minutes
Affected systems: Microsoft Outlook (corporate)
Affected users: All of them, loudly

13:42 — Karen in Marketing reports Outlook is "doing the thing again."

13:43 — Help Desk asks what "the thing" is. Karen escalates by calling her manager.

13:51 — Security Operations Center detects "anomalous email behavior" and opens a P1. SOC analyst Tyler M. suspects nation-state actor.

13:52 — Sysadmin Dave Karlsen notices Outlook is broken. Begins investigation by, in his words, "looking at it."

14:04 — Tyler M. files a P1 ticket with IT requesting they "engage incident response protocols and consider isolating the affected hosts."

14:05 — Dave restarts the Exchange connector.

14:06 — Outlook works.

14:07 — Tyler M. files a follow-up ticket asking for IOCs and a forensic image.

15:11 — CISO Brad Thornwell-Pierce is briefed on the incident. He requests a full RCA, a tabletop exercise, and "a moment of reflection." He schedules a meeting for the following Tuesday at 9 AM.

17:59 — Dave goes home. Has not spoken in three hours.

Tuesday, 9:00 AM — Tabletop exercise begins. Dave is not invited. Brad presents 47 slides on "Lessons Learned." Lesson #1: "We must invest in resilient email infrastructure." Lesson #14: "Communication is key." Lesson #47: "Our culture of security made the difference."

Root cause (per official report): "Sophisticated availability event impacting electronic mail systems. Mitigated through coordinated response across security and IT teams."

Root cause (per Dave): "The connector. It was the connector. It's always the connector."

Cybersecurity Industry Marks 15 Consecutive Years Of Demanding More Cybersecurity Professionals, Asks For 16th

Filed by Cybersecurity Smith ALEXANDRIA, VA. — The International Information System Security Certification Consortium, known as ISC2, released its annual Cybersecurity Workforce Study this fall, marking the fifteenth consecutive year in which the cybersecurity industry has called for an immediate and substantial increase in the number of cybersecurity professionals. ISC2 is

IT Department Achieves SOC 2 Compliance After CEO Asks Them To "Lean In" For Sixteenth Consecutive Quarter

Filed by Cybersecurity Smith CHARLOTTE — The information technology department at a mid-sized SaaS company successfully achieved SOC 2 Type II certification on Friday, sources confirmed, following an eight-month engagement during which the four-person team was asked to "find efficiencies," "do more with less," and ultimately "

THOUGHT LEADERSHIP: 5 Lessons From The Breach We Didn't Have

From the LinkedIn of Brad Thornwell-Pierce, CISSP, CISM, CRISC, CISA, CCSP, CEH, Sec+, and recent recipient of the "Cyber Visionary Under 50" award from a publication he had not previously heard of. 5 Lessons From The Breach We Didn't Have This week, our organization successfully prevented

TICKETS: This Week In The Queue

A weekly column in which Cybersecurity Smith reviews real (fake) tickets filed between IT and Security. TICKET #SEC-4471 From: Brad Thornwell-Pierce, CISSP To: IT Operations Priority: P1 — CRITICAL Subject: Concerning login activity Body: I noticed unusual login activity on my account this morning. Please investigate immediately. This may indicate a

Read more

Cybersecurity Industry Marks 15 Consecutive Years Of Demanding More Cybersecurity Professionals, Asks For 16th

IT Department Achieves SOC 2 Compliance After CEO Asks Them To "Lean In" For Sixteenth Consecutive Quarter

THOUGHT LEADERSHIP: 5 Lessons From The Breach We Didn't Have

TICKETS: This Week In The Queue