Gartner Blog Network


Top-shelf Incident Response vs Barely There Incident Response

by Anton Chuvakin  |  August 9, 2013  |  4 Comments

Remember that incident definitions post? The definitions vary so much that some companies essentially have an incident (or more) every day while others seem to never have one (and thus don’t focus on incident response tools and practices). It is amazing how some organization treat incidents as common (hey! there is one going on now!) and take action WHILE many others are still under “it can’t happen to us” malaise (actually, it probably already did).

One dimension of this gap is related to the old theme: security “haves” and “have notes” (that I mentioned here and here). It appears – and that is a hypothesis at this point – that the area of security incident response is one where said gap appears to be very wide. The leaders (the “haves”) and the laggards (the “have-nots”) are Universes apart… This is partly a matter of threats (who is after your data and systems?) and available security resources. Yes, there is a huge difference between the company that has 0.5 of a full-time security guy and one that has 12 full-time malware reverse engineers on staff (you can probably imagine how many other security professionals they have if their reversing staff alone fills up a mini-bus).

However, this gap is not only in the wallet, but also in the mind! As I mentioned in “Bye-bye, Compliance Thinking. Welcome, Military Thinking!” and “Alert-driven vs Exploration-driven Security Analysis”, this “mind gap” makes some laggards simply coast on luck until they are compromised (and discover it) and then “run on panic” for a while. And then go back to luck.

The leaders know that “today, and into the foreseeable future, American [A.C. – not really just American, of course] companies will face a motivated, technically sophisticated, and well-resourced adversary intent on depriving businesses of their wealth and intellectual property.” (source) The leaders, or “the haves”, practice ongoing IR, understand the role of intelligence, “hunt”, build analytics, etc. The laggards wait for the call from the credit card company or the FBI.

Now the question remains: how do we learn from the “top shelf” organizations, the Enlightened Few, and make this knowledge *usable* by the rest of the organizations?

In any case, why am I talking about this? Oh, it’s because I have another DRAFT maturity table for your review, this time focused on security incident response:

IR Level Process People
1 Ad hoc IR, or no plans, “reimage and go” No IR team, no IR roles, ad hoc response
2 Untested, but filed IR plans (usually high level), tools IR team defined, not tested
3 Tested and refined plans and procedures IR team with processes defined
4 Integrated IR and monitoring, hunting for incidents, refining plans after incidents Virtual or full-time IR team, linked to monitoring, balanced skills
5 Integrated IR, monitoring and intelligence, “continuous IR”, incident discovery A standing, dedicated CIRT, separate forensics and reversing teams, hunters

What do you think?

Posts related to the same research project:

Category: incident-response  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Top-shelf Incident Response vs Barely There Incident Response


  1. […] ← Top-shelf Incident Response vs Barely There Incident Response […]

  2. Ted Julian says:

    Nice job, Anton. Another aspect that would be good to include is the breadth of the program both in terms of staff (are HR, Legal, Privacy, Marketing, Compliance, etc. involved) and breadth (plans for lost laptops, misplaced box of paper records, stolen servers… some firms even include fires and natural disasters).

  3. @ted Thanks for the comment. Indeed, Going beyond “oh no, I have a virus” in IR is a good sign of a more mature program.

  4. […] monitoring, while – what’s the polite term?- basic “zap and reimage”-style IR does not (see Top-shelf Incident Response vs Barely There Incident Response for more details). So, imagine you are one of those lucky organizations with BOTH a standing SOC […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.