Blog post

On Importance of Incident Response

By Anton Chuvakin | July 15, 2013 | 4 Comments

securityincident response

“Invest in your incident response capabilities. Define and staff a process to quickly understand the scope and impact of a detected breach.“ (“Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence”)

Why do we say stuff like this?

Why do we say that, particularly, in a document about the future?

Why is the past also full of experts preaching, evangelizing, whining about the importance of quality incident response since… 1991 or so?

As a side node, NIST 800-3 “Establishing a Computer Security Incident Response Capability” was published in 1991 – you’d be able to find plenty of 2013-ready advice there [NIST does have a modern document on IR, 800-61rev2 that you should also check out when planning your incident response. 800-86 is another related background read].

All of this happens since organizations pay nowhere near enough attention to security incident response (IR). Thus, this is my short motivational post about the topic – I promise to keep it short so that I can focus on substance, not motivations.


  1. Prevention FAILS: just look at anti-virus tools and contrast their 99%+ deployment rates with known ongoing malware infection rates.
  2. Detection FAILS: just look at Verizon breach investigations report (where most of the incidents are not detected internally, ever or for years)
  3. What remains? INCIDENT RESPONSE!

Thus, IR is something that simply has to be there since this is where things will fall after all else fails – and fail it will (well, ideally, detection will work and you get to declare an incident on your own terms). Despite all the overwhelming evidence to the contrary, I still see organizations who think of preventative controls (firewalls, AV/EPP, WAF, etc) as “real” security measures, while monitoring, detective and response tools and practices are labeled “second class citizens.” Apart from saying that it is UTTERLY INSANE, what else I can add to motivate you to seriously focus on your incident response tools and practices?

Maybe the fact that companies that are “ahead of the curve” in security are doing it, while the laggards are barely waking up to it? What makes laggards not pay attention to IR? Obviously, heavy reliance on luck in their security planning is a contributing factor. Not paying attention to detecting makes them to never even know they are having an incident that need to respond to. Some think they are being “proactive” by their exclusive focus on preventative measures (in reality, this is being stupid, not being proactive).

By the way, you can be “proactive” and still focus on incident response: build more visibility (into traditional and cloud environments), get better using incident response tools and refine your response practices.

What is one thing you can do to move up from the very bottom? Create a reasonable (= not blindly copied off some website!) incident response plan! After all, some early research indicates that unplanned incidents end up being much more expensive than those you planned for….

There you have it – get motivated and make your incident response practices and tools better!

Posts related to the same research project:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Marcelo says:

    Great post. Couldn’t agree more.

  • Marcelo says:

    Forgot to mention my somewhat old presentation about this same topic: . It’s in brazilian portuguese, but may be helpful! 🙂

  • Thanks for the comment and the materials

  • Dina says:

    Great Post!!! (As usual)