When I started our security IR research in 2013, one of the questions I sought to answer was “how is IR today different from the old days, when most of the security incident response guidance [example, another one] was written?” Resulting research provides some examples, but here is one example that really, really did it for me:
Remember the classic DoE/NIST/SANS [whatever is its “original origin”] 6-step IR process (“Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned”)? Imagine you are following the steps and then just FAIL at Eradication stage. You try harder – and still FAIL. And then FAIL again. You the try new things – and it still does not work.
In the past, after you patched and cleaned, the 2003 threat [say Blaster worm] was truly gone, it was Eradicated and you get to progress to Recovery and then brew coffee and Learn Lessons. However, in 2016 there are cases where you never get to progress since Eradication just fails. The incident is still ongoing because the threat is still there. And you can do nothing about it! That’s 2016 for you – you can’t assume you will be allowed to proceeed to Steps 5 and 6 by the attacker….. and so you need to learn to live in that reality.
Any other striking examples on how today’s IR differs from, say, 2005?
Posts related to this research project:
- Incident Response Becomes Threat Response … OR Does It: IR Research Commencing
- My Incident Response Paper Publishes (2013)
- On Three IR Gaps
- Fusion of Incident Response and Security Monitoring?
- Survey: How Many Security Incidents Have You Had Over the Last 12 Months?
- Security Incidents vs “IT Problems”
- Top-shelf Incident Response vs Barely There Incident Response
- On SANS Forensics Survey
- Incident Plan vs Incident Planning?
- On Importance of Incident Response
- Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
- Time-tested Incident Response Wisdom?
- Incident Response: The Death of a Straight Line
- Alert-driven vs Exploration-driven Security Analysis
- My Next Research Area: Incident Response
- All posts tagged security incident response
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.