A useful concept that emerged in my security incident response research is a one of THREE IR GAPS.
- Detection gap
- Triage gap
- Remediation gap
Here is what I mean:
| Stage before | Gap | Gap length | Stage after |
| “Everything is fine!” | Detection gap | Days to years (VzDBIR) |
“Oh no, this looks like an incident!” |
| We are having an incident | Triage gap | Hours to weeks | We know the full scope of this one and we know how they got in |
| Investigation mostly complete, ready to fix it | Remediation gap | Days to weeks | Incident remediated – next? |
Comments?
Posts related to the same research project:
- Fusion of Incident Response and Security Monitoring?
- Survey: How Many Security Incidents Have You Had Over the Last 12 Months?
- Security Incidents vs “IT Problems”
- Top-shelf Incident Response vs Barely There Incident Response
- On SANS Forensics Survey
- Incident Plan vs Incident Planning?
- On Importance of Incident Response
- Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
- Time-tested Incident Response Wisdom?
- Incident Response: The Death of a Straight Line
- Alert-driven vs Exploration-driven Security Analysis
- My Next Research Area: Incident Response
- All posts tagged security incident response
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
2 Comments
There’s not really a great deal on which to comment….
That’s really not that much of a comment… 🙂