Gartner Blog Network

My paper on security incident response (“Security Incident Response in the Age of APT”) just published [Gartner GTP subscription required]

Summary:

Increased complexity and frequency of attacks, combined with reduced effectiveness of preventative security controls, elevate the need for enterprise-scale security incident response. Organization must find better ways of executing incident response (from tools to teams!) in the modern era of industrial cybercrime, advanced persistent threats (APTs) and changing cloud, virtual and mobile environments. The concepts of “peopling up” and “tooling up” for incident response (IR) are what support the critical practice of continuous incident response.

A few fun quotes:

• “Being prepared for incident response is likely to be one of the more cost-effective security measures any organization can take because well-planned IR reduces the incident impact and costs and because security incidents are inevitable.”
• “Define incidents, and don’t leave incident declaration to case-by-case judgment; establish parameters and definitions usable at your organization.”
• “No matter the size of your organization, if you have a security team, dedicate one person to incident response. Incident response — particularly deep investigations — can result in political infighting; pare down this likelihood by nurturing relationships across the organization.”
• “If starting from the beginning, create an incident response plan and engage in ongoing IR planning. Don’t make up processes during the heat of battle; envision likely incidents, and create usable plans for how they should be handled.
• “Undiscovered incidents serve as a useful reminder that security products are not perfect and “false negatives” will happen with both prevention and detection technologies. The organizations that proactively go out and discover incidents — “hunt” for them — have a better chance of finding them before it is too late.”

Enjoy!

Posts related to this research project:

• On Three IR Gaps
• Fusion of Incident Response and Security Monitoring?
• Survey: How Many Security Incidents Have You Had Over the Last 12 Months?
• Security Incidents vs “IT Problems”
• Top-shelf Incident Response vs Barely There Incident Response
• On SANS Forensics Survey
• Incident Plan vs Incident Planning?
• On Importance of Incident Response
• Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
• Time-tested Incident Response Wisdom?
• Incident Response: The Death of a Straight Line
• Alert-driven vs Exploration-driven Security Analysis
• My Next Research Area: Incident Response
• All posts tagged security incident response

Recent paper publication announcements:

• My Paper on Endpoint Tools Publishes
• Our Security Data Sharing Paper Publishes
• Our Network Forensics Paper Publishes
• My Second DLP Paper Publishes
• My First DLP Paper Publishes
• My Gartner research published so far

Category: incident-response  security