Gartner Blog Network


Fusion of Incident Response and Security Monitoring?

by Anton Chuvakin  |  August 15, 2013  |  1 Comment

Where does security monitoring end and incident response begins? Let’s quickly ponder this one …

As I mentioned in my Incident Response: The Death of a Straight Line post, security thinking is shifting [slowly – as thinking ALWAYS shifts much slower than the ”commentariat” expects] from “incident is something that won’t happen to us” (Big “I” incident is rare and may not even happen, if we are lucky) to “incident is happening now” (small “i” incidents in today’s expansive and complex networks are always there). As a result, more organizations start to pay attention to security incident response practices and tools helpful for IR (SIEM, NFT, ETDR, etc) as well as adjust their IR thinking.

Let’s now do a quick test:

  • Is ongoing indicator sweep across endpoints using an ETDR tool monitoring or incident response?
  • Is analyzing malware and feeding the results back into the sweep still monitoring?
  • Is looking at SIEM correlation alerts that indicate malware or exfiltration still monitoring?
  • Is using a network forensics tool to look for signs of compromised systems (rather than attacks) monitoring or IR?
  • Is hunting monitoring or IR?

You get the idea – many routine security monitoring activities spill over to alert/discovery triage that further spill over to the “Detect” phase of the incident response process.

Notice something, however. Advanced IR gets closer to security monitoring, while – what’s the polite term?- basic “zap and reimage”-style IR does not (see Top-shelf Incident Response vs Barely There Incident Response for more details). So, imagine you are one of those lucky organizations with BOTH a standing SOC and a standing CIRT (yes, those actually exist!). How do you separate what each team does? Where is the hand-off? Where do they work together?

In any case, I am ready to say “stop arguing of whether this is still monitoring or already IR”, JUST DO IT!

Posts related to the same research project:

Additional Resources

Category: incident-response  monitoring  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Fusion of Incident Response and Security Monitoring?


  1. […] ← Fusion of Incident Response and Security Monitoring? […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.