A useful concept that emerged in my security incident response research is a one of THREE IR GAPS.
- Detection gap
- Triage gap
- Remediation gap
Here is what I mean:
| Stage before | Gap | Gap length | Stage after |
| “Everything is fine!” | Detection gap | Days to years (VzDBIR) |
“Oh no, this looks like an incident!” |
| We are having an incident | Triage gap | Hours to weeks | We know the full scope of this one and we know how they got in |
| Investigation mostly complete, ready to fix it | Remediation gap | Days to weeks | Incident remediated – next? |
Comments?
Posts related to the same research project:
- Fusion of Incident Response and Security Monitoring?
- Survey: How Many Security Incidents Have You Had Over the Last 12 Months?
- Security Incidents vs “IT Problems”
- Top-shelf Incident Response vs Barely There Incident Response
- On SANS Forensics Survey
- Incident Plan vs Incident Planning?
- On Importance of Incident Response
- Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
- Time-tested Incident Response Wisdom?
- Incident Response: The Death of a Straight Line
- Alert-driven vs Exploration-driven Security Analysis
- My Next Research Area: Incident Response
- All posts tagged security incident response
Comments are closed
2 Comments
There’s not really a great deal on which to comment….
That’s really not that much of a comment… 🙂