#EXPERTISE
Yesterday I talked about Tools, today the need for continual education and consolidation of support tiers.
I just got off a 2 hour support call where I solved a month-long issue by being aware of a subtle behavior change that also, surprise, was updated a month ago. https://twitter.com/swiftonsecurity/status/1281340615431729156

Earlier today I was on a small conference call with a peer. And they said this other team didn’t have the knowledge or contextual awareness to make a decision.
So I asked, “Why are you and I qualified but they’re not?”
The other tech thought for a bit.
“We’re always researching.”

IT security is not a job that should require 12 hour days and constant work. That’s not true or fair.
But it does require ongoing casual curiosity and determination to be aware of the ecosystem.
Especially the small new quirks of your core toolset and those of your peers.

Every job in “IT” is an “IT Security” job. To be aware of the context of your decisions on attacker abilities is universal.
At the highest maturity there should hardly be an IT Security department. It’s everybody’s job to provide operational assurance. There’s no delineation.

Anyway it’s Friday night. This department technical lead had opened a ticket days earlier that had kicked around by various departments saying it’s not their problem. It finally gets assigned to “IT Security - All*”
I say screw it, I’ll call them. I’m the Windows Lead. My job.

My position at my organization is unique. It does not matter what technology, server, program, domain, or seniority level someone is.
If it’s Windows, ultimately I have jurisdiction over their problem and resolution. For x0k employees you cannot override me.
So I go in on it.

User has a problem with performance of X files they try to run. Every other group punted. It’s not network loss traffic on the VPN. It’s not a Windows update. It’s not a policy change. Hey you should have opened an IT Packaging request we can’t help you.
So now it’s me on Friday.

I control their desktop remotely though the product I made my department buy.
They are connecting to a file share over VPN. But I know there are various abstractions. This is a DFS share which is handled uniquely in the Windows kernel. Vendors don’t test this. I use ProcMon.exe.

I can see in Resource Monitor even after the user right-clicks on a file, there is continuous network traffic at 40 mbps+.
This means an extension to Windows is attempting to read the full 200 megabyte EXE file in a parallel download.
I run autoruns.exe to review what’s loaded.

It turns out that the department’s problem is they are having users load a DFS share folder full of files that the Explorer extension is attempting to scan naively and this loads down the VPN.
I noted a change in their scan behavior from a blog but didn’t occur to me until now.

I use a unique registry key to disable this behavior and the user reboots.
The previous performance and behavior is restored. They no longer have to wait 10 minutes for Windows to respond.

This could not have been solved through “change management” or procedural troubleshooting.

Everyone in IT did their jobs. They made sure it was not their fault.
But they did not solve the problem by finding other people’s responsibility in fixing the problem.

It took someone who operates beyond blame and procedure.
It took someone on the line until it’s fixed.

It is incredible and unfair burden to make someone responsible for outcomes regardless of their responsibility in causing it.
But that is what it takes.

Do you hire people who have what it takes? Do you support them in their outlays of responsibility?

Or do you make them fail.