Gartner Blog Network


Incident Response Becomes Threat Response … OR Does It: IR Research Commencing

by Anton Chuvakin  |  February 5, 2016  |  Comments Off on Incident Response Becomes Threat Response … OR Does It: IR Research Commencing

As planned, we are starting our research effort on EDR, but also one on security incident response (IR), a topic we last touched in 2013. Most likely, we will be updating our document titled “Security Incident Response in the Age of APT” [Gartner GTP access required] and possibly, but not likely, creating a new document too.

However, in our security IR (#DFIR) research, we are facing a conundrum. A lot of our client inquiries are about the very basics of IR (think “basics of basic IR”), mostly asked by those organizations recovering from a dire malaise of “prevention-only” security [please, please, please FINALLY get the memo: you cannot prevent all threats!].IR-book-stand For these problems, existing Gartner coverage, such as Rob’s excellent “Six Decisions You Must Make to Prepare for a Security Incident” and “How to Write a Security Incident Response Procedure Document” [Gartner access required] are prefectly adequate. I sometimes joke that for many of these IR “problems”, an ancient NIST 800-3 from 1991 (!) will work just fine…

On the other hand, we do get some [read: very, very few] inquiries from the opposite end of the spectrum, where organizations refine their already-excellent IR processes, decide which SIRP to buy, deal with IR in some extra-challenging environments (such as public cloud, for example) or – generally the most exciting – fight it out with real APTs in the trenches of their own IT environment. Unfortunately, these clients are uncommon because – let’s be honest here – for most organizations that encounter an APT in a dark alley, the only approach is to call “the firm with the name that starts with ‘M'” and hope for the best …

As a result, we ended up with the document which is somewhat helpful to BOTH of the above – that is our current work “Security Incident Response in the Age of APT.” However, we do see the limitations of this approach. We can either write our own “basic guide to advanced IR” (this phrase is “borrowed” from this excellent work) or go back to writing a newly structured approach to security incident response basics….

So, any advice for us on this?!

Posts related to the same research project:

Category: announcement  incident-response  security  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.