Blog post

Fusion of Incident Response and Security Monitoring?

By Anton Chuvakin | August 15, 2013 | 0 Comments

securitymonitoringincident response

Where does security monitoring end and incident response begins? Let’s quickly ponder this one …

As I mentioned in my Incident Response: The Death of a Straight Line post, security thinking is shifting [slowly – as thinking ALWAYS shifts much slower than the ”commentariat” expects] from “incident is something that won’t happen to us” (Big “I” incident is rare and may not even happen, if we are lucky) to “incident is happening now” (small “i” incidents in today’s expansive and complex networks are always there). As a result, more organizations start to pay attention to security incident response practices and tools helpful for IR (SIEM, NFT, ETDR, etc) as well as adjust their IR thinking.

Let’s now do a quick test:

  • Is ongoing indicator sweep across endpoints using an ETDR tool monitoring or incident response?
  • Is analyzing malware and feeding the results back into the sweep still monitoring?
  • Is looking at SIEM correlation alerts that indicate malware or exfiltration still monitoring?
  • Is using a network forensics tool to look for signs of compromised systems (rather than attacks) monitoring or IR?
  • Is hunting monitoring or IR?

You get the idea – many routine security monitoring activities spill over to alert/discovery triage that further spill over to the “Detect” phase of the incident response process.

Notice something, however. Advanced IR gets closer to security monitoring, while – what’s the polite term?- basic “zap and reimage”-style IR does not (see Top-shelf Incident Response vs Barely There Incident Response for more details). So, imagine you are one of those lucky organizations with BOTH a standing SOC and a standing CIRT (yes, those actually exist!). How do you separate what each team does? Where is the hand-off? Where do they work together?

In any case, I am ready to say “stop arguing of whether this is still monitoring or already IR”, JUST DO IT!

Posts related to the same research project:

Comments are closed