As I am diving deeper into modern security incident response (IR) practices, one shocking realization reigns supreme: the arrow is dead. Well, let me take this back: as we all know, nothing in security is ever dead. Password guessing, an attack from the 1970s (if not earlier), is alive and well. Stateless firewalls are not dead. No countermeasure and no threat has been fully retired – even though some say that the risk of punch cards being damaged in the mail is 100% gone…
In any case, the “arrow model” of incident response where the normal IT operation is suddenly interrupted by an incident which is then remediated has been losing steam in this day and age. Think about it! We have constant infection rates at 1-2% of systems (source), ongoing attack campaigns, persistent adversaries, (even our compliance gets to be “continuous”) – why should IR be different?
|‘Normal –> incident –> back to normal’ is no more – or at least not the only case anymore.||More common today – the only case for advanced threats; multiple IR loops happening at any given time.|
While some will try to draw a clear line between monitoring (before/after the incident) and incident response (during the incident), the line is getting much blurrier than many think. Ongoing indicator scans (based on external and internal sources), malware and artifact reversing, network forensics “hunting”, etc all blur the line and become continuous incident response activities.
BTW, in this model, the question “what do incident responders do between incidents?” makes no sense…
Possibly related posts:
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.