As I am diving deeper into modern security incident response (IR) practices, one shocking realization reigns supreme: the arrow is dead. Well, let me take this back: as we all know, nothing in security is ever dead. Password guessing, an attack from the 1970s (if not earlier), is alive and well. Stateless firewalls are not dead. No countermeasure and no threat has been fully retired – even though some say that the risk of punch cards being damaged in the mail is 100% gone…
In any case, the “arrow model” of incident response where the normal IT operation is suddenly interrupted by an incident which is then remediated has been losing steam in this day and age. Think about it! We have constant infection rates at 1-2% of systems (source), ongoing attack campaigns, persistent adversaries, (even our compliance gets to be “continuous”) – why should IR be different?
|‘Normal –> incident –> back to normal’ is no more – or at least not the only case anymore.||More common today – the only case for advanced threats; multiple IR loops happening at any given time.|
While some will try to draw a clear line between monitoring (before/after the incident) and incident response (during the incident), the line is getting much blurrier than many think. Ongoing indicator scans (based on external and internal sources), malware and artifact reversing, network forensics “hunting”, etc all blur the line and become continuous incident response activities.
BTW, in this model, the question “what do incident responders do between incidents?” makes no sense…
Possibly related posts:
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.