On Three IR Gaps
by Anton Chuvakin | August 20, 2013 | 2 Comments
A useful concept that emerged in my security incident response research is a one of THREE IR GAPS.
- Detection gap
- Triage gap
- Remediation gap
Here is what I mean:
| Stage before | Gap | Gap length | Stage after |
| “Everything is fine!” | Detection gap | Days to years (VzDBIR) |
“Oh no, this looks like an incident!” |
| We are having an incident | Triage gap | Hours to weeks | We know the full scope of this one and we know how they got in |
| Investigation mostly complete, ready to fix it | Remediation gap | Days to weeks | Incident remediated – next? |
Comments?
Posts related to the same research project:
- Fusion of Incident Response and Security Monitoring?
- Survey: How Many Security Incidents Have You Had Over the Last 12 Months?
- Security Incidents vs “IT Problems”
- Top-shelf Incident Response vs Barely There Incident Response
- On SANS Forensics Survey
- Incident Plan vs Incident Planning?
- On Importance of Incident Response
- Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
- Time-tested Incident Response Wisdom?
- Incident Response: The Death of a Straight Line
- Alert-driven vs Exploration-driven Security Analysis
- My Next Research Area: Incident Response
- All posts tagged security incident response
Additional Resources
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.
Read Free Gartner Research
Category: incident-response security
Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry
Thoughts on On Three IR Gaps
Comments are closed
Who's Blogging
- Barika Pace
- Jennifer Dalipi
- Debbie Wilson
- Jeffrey Hewitt
- May Keffer
- Andrew White
- Siddharth Shetty
- Bill Ray
- Akif Khan
- Dave Egloff
- Daniel Sanchezreina
- Mike Wonham
- Frank Buytendijk
- Marty Resnick
- Tony Iams
- Fabio Chesini
- Frances Russell
- Augie Ray
- Allegra Ubbes
- Sally Witzky
- Avivah Litan
- Robert Hetu
- Pete Shoard
- Craig Roth
- Stephen White
- Jitendra Subramanyam
- Halle Feuerman
- Clifton Gilley
- Bob Gill
- Bart Willemsen
- Deacon Wan
- Carlos Guerrero
- Vivek Swaminathan
- Tim Barlow
- Don Scheibenreif
- John Wheeler
- Simon Jacobson
- Claire Tassin
- Jessica Ekholm
- Colin Reid
- Jason Wong
- Noah Elkin
- Michael Ramsey
- Rene Buest
- Anthony Bradley
- Sumit Agarwal
- Kristina Laroccacerrone
- Michael Mccune
- Mark Mcdonald
- Manjunath Bhat
About
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.
There’s not really a great deal on which to comment….
That’s really not that much of a comment… 🙂