Gartner Blog Network


On Three IR Gaps

by Anton Chuvakin  |  August 20, 2013  |  2 Comments

A useful concept that emerged in my security incident response research is a one of THREE IR GAPS.

  1. Detection gap
  2. Triage gap
  3. Remediation gap

Here is what I mean:

Stage before Gap Gap length Stage after
“Everything is fine!” Detection gap Days to years
(VzDBIR)
“Oh no, this looks like an incident!”
We are having an incident Triage gap Hours to weeks We know the full scope of this one and we know how they got in
Investigation mostly complete, ready to fix it Remediation gap Days to weeks Incident remediated – next?

Comments?

Posts related to the same research project:

Category: incident-response  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on On Three IR Gaps


  1. H. Carvey says:

    There’s not really a great deal on which to comment….

  2. That’s really not that much of a comment… :-)



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.