A useful concept that emerged in my security incident response research is a one of THREE IR GAPS.
- Detection gap
- Triage gap
- Remediation gap
Here is what I mean:
|Stage before||Gap||Gap length||Stage after|
|“Everything is fine!”||Detection gap||Days to years
|“Oh no, this looks like an incident!”|
|We are having an incident||Triage gap||Hours to weeks||We know the full scope of this one and we know how they got in|
|Investigation mostly complete, ready to fix it||Remediation gap||Days to weeks||Incident remediated – next?|
Posts related to the same research project:
- Fusion of Incident Response and Security Monitoring?
- Survey: How Many Security Incidents Have You Had Over the Last 12 Months?
- Security Incidents vs “IT Problems”
- Top-shelf Incident Response vs Barely There Incident Response
- On SANS Forensics Survey
- Incident Plan vs Incident Planning?
- On Importance of Incident Response
- Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
- Time-tested Incident Response Wisdom?
- Incident Response: The Death of a Straight Line
- Alert-driven vs Exploration-driven Security Analysis
- My Next Research Area: Incident Response
- All posts tagged security incident response