Jordan Rogers

12 Days of HaXmas: Santa makes a list and checks it twice, do you?

Blog Post created by Jordan Rogers Employee on Dec 22, 2015

This post is the fifth in the series, "The Twelve Days of HaXmas."


This is the time of the year where kids and adults alike think back over the past year, wondering which of Santa's two lists they will be on. The nice list is reserved for those who say "please" and "thank you", brush their teeth, and of course, those who regularly update and practice their incident response plans.


Santa gives presents to the children on the nice list and coal to the ones on the naughty. When the list gets checked this year do you want a lump of coal or do you finally want to get that Red Ryder Carbine Action 200-shot Range Model air rifle with a compass in the stock that you’ve always wanted? So how do you end up on the nice list? The best way to do this is to take a few tips from Santa and his elves.


Santa's Listrobot-santa-list.gif

  • Santa doesn't wait until Christmas Eve to start making his list, it is updated and checked year round, and your information security policies and incident response plan should be as well.
  • Santa's list is changed when new information is presented, and Santa is constantly on the lookout for things that may indicate the need for a change. It is important for you to keep track of when and how your plans should change.
  • Santa spends all year planning and preparing for an event, Christmas Eve, when it occurs it must go off without a hitch. This is the exact same concept we have with incident response; we plan and prepare all year and are constantly monitoring for an event (which, unlike Christmas, you actually don’t want to happen, unless you are a little twisted).


Work like Santa and the Elves: North Pole Operations Center

The North Pole is the center of the operations, where Santa and the elves spend time in the workshop prepping for the big day. Just as Santa and his elves have their workshop you have your information security team and SOC, though possibly with a bit less snow and singing (but not always!). The elves work year-round building amazing toys for children on the nice list, similarly your information security team deploys and manages technologies to protect your environment and keep you on the nice list and make sure when the big day does come you are prepared. Your SOC runs with the same efficiency as the workshop, resolving alerts, troubleshooting issues, and keeping you informed of what is going on. If there is a problem in the workshop the elves make sure Santa knows so it can be resolved and the problems can be avoided next year. If you experience problems your SOC should be updating you with after action reports and you should be updating your incident response plan.


Don't Go It Alonebernard-the-elf.png

Unfortunately, you are not Santa in one notable respect: You have no army of trained and seasoned elves. You might have a few Christmases under your belt, but not near as many as they do. People who work on this day in and day out, year round, are going to be the ones you need to ask for help. If you do have to temporarily become Santa, a la Tim Allen, he still had loads of help from professional elves who have been in the mix for a while. Bernard guided him through the process of planning and preparing for Christmas as well as executing on the big day. You probably won’t have a Bernard, remember that you don’t do this all the time and it is okay to ask for help. Make sure someone is there to assist you in planning, preparing, and executing when you have to put on the big red suit and give toys to all the children on the nice list.


Making Christmas happen

Santa and his team make Christmas go off without a hitch every year. How? Because they plan and prepare for it all year. Preparing for an incident should be something that is done year round as well. This includes reviewing policies, processes, and plans, performing table top exercises and threat simulations, and writing after action reports. The findings from these reports should be integrated back into the policies, processes, and plans in a constant cycle of self evaluation and improvement.


Planning is the key to success and it is also the key to staying on the nice list. You don’t have to be perfect to stay on the nice list, you just have to put in a little work. Happy Holidays from the Rapid7 Analytic Response Team!