As I mentioned in my Incident Response: The Death of a Straight Line post, security thinking is shifting [slowly – as thinking ALWAYS shifts much slower than the ”commentariat” expects] from “incident is something that won’t happen to us” (Big “I” incident is rare and may not even happen, if we are lucky) to “incident is happening now” (small “i” incidents in today’s expansive and complex networks are always there). As a result, more organizations start to pay attention to security incident response practices and tools helpful for IR (SIEM, NFT, ETDR, etc) as well as adjust their IR thinking.
Let’s now do a quick test:
- Is ongoing indicator sweep across endpoints using an ETDR tool monitoring or incident response?
- Is analyzing malware and feeding the results back into the sweep still monitoring?
- Is looking at SIEM correlation alerts that indicate malware or exfiltration still monitoring?
- Is using a network forensics tool to look for signs of compromised systems (rather than attacks) monitoring or IR?
- Is hunting monitoring or IR?
You get the idea – many routine security monitoring activities spill over to alert/discovery triage that further spill over to the “Detect” phase of the incident response process.
Notice something, however. Advanced IR gets closer to security monitoring, while – what’s the polite term?- basic “zap and reimage”-style IR does not (see Top-shelf Incident Response vs Barely There Incident Response for more details). So, imagine you are one of those lucky organizations with BOTH a standing SOC and a standing CIRT (yes, those actually exist!). How do you separate what each team does? Where is the hand-off? Where do they work together?
In any case, I am ready to say “stop arguing of whether this is still monitoring or already IR”, JUST DO IT!
Posts related to the same research project:
- Survey: How Many Security Incidents Have You Had Over the Last 12 Months?
- Security Incidents vs “IT Problems”
- Top-shelf Incident Response vs Barely There Incident Response
- On SANS Forensics Survey
- Incident Plan vs Incident Planning?
- On Importance of Incident Response
- Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
- Time-tested Incident Response Wisdom?
- Incident Response: The Death of a Straight Line
- Alert-driven vs Exploration-driven Security Analysis
- My Next Research Area: Incident Response
- All posts tagged security incident response
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.