Gartner Blog Network


On Space Between Detection and Response

by Anton Chuvakin  |  August 31, 2015  |  7 Comments

Let’s ponder the space between Detection (D) and Response (R):

D <aim your mind here!> R

Do you see it clearly now? Where does DETECTION end and RESPONSE begins? What is this space between them?

As more organizations finally give their detection controls the attention they deserve, the critically important space between D and R comes to their attention as well. After all, you will detect way more interesting stuff than you will actually trigger a formal incident response (IR) process over. Furthermore, some of the recent examples really drive this point home….

So, detection gives you alerts, indications, ambiguous end user reports, other weak signals about possible attacker activities, mixed in with copious amounts of noise (sorry, $VENDOR, if you truthfully claim “no false positives”, this means that your “false negatives” i.e. missed attacks are through the roof). On the other hand, response – such as formally declaring an incident – requires clarity and not ambiguity, as the CIRT team is imbued with their super-powers during the actual live response. How and when you transition from D to R really matters.

There is no single name for the space between detection and response. I often use the term “triage” or “alert triage”, but I also admit this usage is not standard. Still, this between-D-and-R stage is what enables you to actually stop the attacker before the damage is done. Yes, D and R on their own are critical, but the link between them is even more critical! If your SOC and CIRT (at the higher end of the organizational security maturity) work really well – but not together – the chance that the attacker will WIN and you will LOSE is still very high, despite all the technology investments.

The activities that (IMHO) sit between D and R include:

  • qualifying various security alerts
  • gathering additional data from endpoints, network traffic, etc
  • deciding which user reports matter more and may indicate a real incident
  • enriching and prioritizing other signals that may lead to the incident declaration
  • scoping the impact of any potential incident

There you have it – now mind the gap [between D and R]!

Blog posts related to triage process:

Additional Resources

Category: incident-response  monitoring  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on On Space Between Detection and Response


  1. May use the OODA loop to fill the gap. OODA = Observe, Orient, Decide, Act. I see Detect correspond to Observe and Response correspond to Act.

    So the Orient and Decide stages are missing.

    https://en.wikipedia.org/wiki/OODA_loop

  2. […] Anton Chuvakin Let’s ponder the space between Detection (D) and Response (R):D RDo you see it clearly now? […]

  3. I see there is a comment posted by Euler Global Consulting. Am unable to see the comment. Does one need special access to see others’ comments?

  4. Anton — I have read most of your public articles on EDR. Thanks for sharing your insights.

    I can use some help in understanding the boundary between AV, NGAV, and EDR. Can you help? Since you’ve coined the term EDR (and maybe, NGAV too), you are the best person to ask.

    AVs and NGAVs technically speaking ‘detect’ malware. That would imply they should be in EDR. But if I understood correctly you do place AVs within EDR. In such case, there must be a good reason.

    Could you expand on your thought on the boundaries between AV, NGAV, and EDR as it pertains to detecting/preventing malware?

    Thanks..

    • That is a BIG question, actually. Where does EDR end and “NGAV” (not an accepted abbreviation) begins? Typically we draw the line on PREVENTION….but is rapid remediation = prevention?



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.