Reservist Model: Distributed Approach to Scaling Incident Response

Wednesday, January 29, 2020 - 2:30 pm3:00 pm

Swathi Joshi, Netflix


Scaling incident response is inherently hard. Incidents happen in waves and have sporadic surges. In 2018, we witnessed this first hand with a "December to Remember," where on average each responder had to deal with multiple incidents across different time zones. In an ideal world you have a large Incident Response team on standby, but hiring enough to match the occasional surge is expensive and impractical. How do you manage the demand without adding a massive headcount?

In this talk, I will describe how we have approached this problem at Netflix: a complex environment with a small incident response team and growing needs. I will delve into how we created the Reservist Program, a pool of auxiliary Crisis Managers that supplement our security incident response function. At the end of the talk, the audience will be equipped to build their own program with simple steps.

Swathi Joshi, Netflix

Swathi Joshi leads Netflix's Detection and Response team which focuses on managing the inevitable security incidents that arise and building detection pipelines to minimize risk to Netflix. Prior to Netflix, she was an Engagement Manager and Escalations Manager at Mandiant/FireEye, helping companies defend against Advanced Persistent Threats (APT). Swathi was born in Mangalore, India. She received her Master's degree in Information Security and Assurance from George Mason University and sits on the board of

@conference {244744,
author = {Swathi Joshi},
title = {Reservist Model: Distributed Approach to Scaling Incident Response},
year = {2020},
address = {San Francisco, CA},
publisher = {USENIX Association},
month = jan

Presentation Video