Cloud Security Podcast by Google

EP222 From Post-IR Lessons to Proactive Security: Deconstructing Mandiant M-Trends

Apr 28, 2025

In this engaging discussion, Kirstie Failey from the Google Threat Intelligence Group and Scott Runnels from Mandiant Incident Response dive into the art of transforming incident reports into the M-Trends report. They explore the paradox of learning from past incidents versus proactive security measures. The duo uncovers the complexities of 'dwell time' metrics and why repeated security mistakes persist. They also discuss the unique challenges faced by smaller organizations and the necessity of effective storytelling in cybersecurity reporting. A must-listen for security enthusiasts!

35:19

Creator website

Episode guests

Scott Runnels

Kirstie Failey

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Transforming incident reports into actionable M-Trends insights is challenging due to the need for cohesive storytelling amidst varied audience expectations.

Dwell time metrics require careful interpretation, as shorter times don't always equate to better security outcomes depending on the incident context.

Deep dives

Challenges in Creating the M-Trends Report

The process of transforming numerous incident response reports into the M-Trends report is fraught with challenges. Consultants are typically trained to create descriptive reports focused on past events, which makes it difficult to extract prescriptive insights and actionable recommendations. This often leads to a demanding revision process, as consultants must adapt their narrative styles to fit the formal, cohesive structure that M-Trends requires. Additionally, balancing engaging storytelling with factual accuracy is crucial, highlighting the importance of collaborating with intelligence teams to support claims with concrete data.

Intro

3min

Crafting Narratives in Incident Reporting

13min

Navigating Dwell Time and Security Teams

14min

The Cyclical Nature of Security Challenges and Insights from M-Trends

2min

Strategies for Enhancing Cybersecurity Posture Using MITRE Framework

4min

Guests:

Kirstie Failey @ Google Threat Intelligence Group
Scott Runnels @ Mandiant Incident Response

Topics:

What is the hardest thing about turning distinct incident reports into a fun to read and useful report like M-Trends?
How much are the lessons and recommendations skewed by the fact that they are all “post-IR” stories?
Are “IR-derived” security lessons the best way to improve security? Isn’t this a bit like learning how to build safely from fires vs learning safety engineering?
The report implies that F500 companies suffer from certain security issues despite their resources, does this automatically mean that smaller companies suffer from the same but more?
"Dwell time" metrics sound obvious, but is there magic behind how this is done? Sometimes “dwell tie going down” is not automatically the defender’s win, right?
What is the expected minimum dwell time? If “it depends”, then what does it depend on?
Impactful outliers vs general trends (“by the numbers”), what teaches us more about security?
Why do we seem to repeat the mistakes so much in security?
Do we think it is useful to give the same advice repeatedly if the data implies that it is correct advice but people clearly do not do it?

Resources: