Blog post

Top-shelf Incident Response vs Barely There Incident Response

By Anton Chuvakin | August 09, 2013 | 2 Comments

securityincident response

Remember that incident definitions post? The definitions vary so much that some companies essentially have an incident (or more) every day while others seem to never have one (and thus don’t focus on incident response tools and practices). It is amazing how some organization treat incidents as common (hey! there is one going on now!) and take action WHILE many others are still under “it can’t happen to us” malaise (actually, it probably already did).

One dimension of this gap is related to the old theme: security “haves” and “have notes” (that I mentioned here and here). It appears – and that is a hypothesis at this point – that the area of security incident response is one where said gap appears to be very wide. The leaders (the “haves”) and the laggards (the “have-nots”) are Universes apart… This is partly a matter of threats (who is after your data and systems?) and available security resources. Yes, there is a huge difference between the company that has 0.5 of a full-time security guy and one that has 12 full-time malware reverse engineers on staff (you can probably imagine how many other security professionals they have if their reversing staff alone fills up a mini-bus).

However, this gap is not only in the wallet, but also in the mind! As I mentioned in “Bye-bye, Compliance Thinking. Welcome, Military Thinking!” and “Alert-driven vs Exploration-driven Security Analysis”, this “mind gap” makes some laggards simply coast on luck until they are compromised (and discover it) and then “run on panic” for a while. And then go back to luck.

The leaders know that “today, and into the foreseeable future, American [A.C. – not really just American, of course] companies will face a motivated, technically sophisticated, and well-resourced adversary intent on depriving businesses of their wealth and intellectual property.” (source) The leaders, or “the haves”, practice ongoing IR, understand the role of intelligence, “hunt”, build analytics, etc. The laggards wait for the call from the credit card company or the FBI.

Now the question remains: how do we learn from the “top shelf” organizations, the Enlightened Few, and make this knowledge *usable* by the rest of the organizations?

In any case, why am I talking about this? Oh, it’s because I have another DRAFT maturity table for your review, this time focused on security incident response:

IR Level Process People
1 Ad hoc IR, or no plans, “reimage and go” No IR team, no IR roles, ad hoc response
2 Untested, but filed IR plans (usually high level), tools IR team defined, not tested
3 Tested and refined plans and procedures IR team with processes defined
4 Integrated IR and monitoring, hunting for incidents, refining plans after incidents Virtual or full-time IR team, linked to monitoring, balanced skills
5 Integrated IR, monitoring and intelligence, “continuous IR”, incident discovery A standing, dedicated CIRT, separate forensics and reversing teams, hunters

What do you think?

Posts related to the same research project:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Ted Julian says:

    Nice job, Anton. Another aspect that would be good to include is the breadth of the program both in terms of staff (are HR, Legal, Privacy, Marketing, Compliance, etc. involved) and breadth (plans for lost laptops, misplaced box of paper records, stolen servers… some firms even include fires and natural disasters).

  • @ted Thanks for the comment. Indeed, Going beyond “oh no, I have a virus” in IR is a good sign of a more mature program.