Let’s ponder the space between Detection (D) and Response (R):
D <aim your mind here!> R
Do you see it clearly now? Where does DETECTION end and RESPONSE begins? What is this space between them?
As more organizations finally give their detection controls the attention they deserve, the critically important space between D and R comes to their attention as well. After all, you will detect way more interesting stuff than you will actually trigger a formal incident response (IR) process over. Furthermore, some of the recent examples really drive this point home….
So, detection gives you alerts, indications, ambiguous end user reports, other weak signals about possible attacker activities, mixed in with copious amounts of noise (sorry, $VENDOR, if you truthfully claim “no false positives”, this means that your “false negatives” i.e. missed attacks are through the roof). On the other hand, response – such as formally declaring an incident – requires clarity and not ambiguity, as the CIRT team is imbued with their super-powers during the actual live response. How and when you transition from D to R really matters.
There is no single name for the space between detection and response. I often use the term “triage” or “alert triage”, but I also admit this usage is not standard. Still, this between-D-and-R stage is what enables you to actually stop the attacker before the damage is done. Yes, D and R on their own are critical, but the link between them is even more critical! If your SOC and CIRT (at the higher end of the organizational security maturity) work really well – but not together – the chance that the attacker will WIN and you will LOSE is still very high, despite all the technology investments.
The activities that (IMHO) sit between D and R include:
- qualifying various security alerts
- gathering additional data from endpoints, network traffic, etc
- deciding which user reports matter more and may indicate a real incident
- enriching and prioritizing other signals that may lead to the incident declaration
- scoping the impact of any potential incident
There you have it – now mind the gap [between D and R]!
Blog posts related to triage process:
- Acting on MSSP Alerts
- On Three IR Gaps
- Fusion of Incident Response and Security Monitoring?
- Alert-driven vs Exploration-driven Security Analysis
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.