As planned, we are starting our research effort on EDR, but also one on security incident response (IR), a topic we last touched in 2013. Most likely, we will be updating our document titled “Security Incident Response in the Age of APT” [Gartner GTP access required] and possibly, but not likely, creating a new document too.
However, in our security IR (#DFIR) research, we are facing a conundrum. A lot of our client inquiries are about the very basics of IR (think “basics of basic IR”), mostly asked by those organizations recovering from a dire malaise of “prevention-only” security [please, please, please FINALLY get the memo: you cannot prevent all threats!]. For these problems, existing Gartner coverage, such as Rob’s excellent “Six Decisions You Must Make to Prepare for a Security Incident” and “How to Write a Security Incident Response Procedure Document” [Gartner access required] are prefectly adequate. I sometimes joke that for many of these IR “problems”, an ancient NIST 800-3 from 1991 (!) will work just fine…
On the other hand, we do get some [read: very, very few] inquiries from the opposite end of the spectrum, where organizations refine their already-excellent IR processes, decide which SIRP to buy, deal with IR in some extra-challenging environments (such as public cloud, for example) or – generally the most exciting – fight it out with real APTs in the trenches of their own IT environment. Unfortunately, these clients are uncommon because – let’s be honest here – for most organizations that encounter an APT in a dark alley, the only approach is to call “the firm with the name that starts with ‘M'” and hope for the best …
As a result, we ended up with the document which is somewhat helpful to BOTH of the above – that is our current work “Security Incident Response in the Age of APT.” However, we do see the limitations of this approach. We can either write our own “basic guide to advanced IR” (this phrase is “borrowed” from this excellent work) or go back to writing a newly structured approach to security incident response basics….
So, any advice for us on this?!
Posts related to the same research project:
- My Incident Response Paper Publishes (2013)
- On Three IR Gaps
- Fusion of Incident Response and Security Monitoring?
- Survey: How Many Security Incidents Have You Had Over the Last 12 Months?
- Security Incidents vs “IT Problems”
- Top-shelf Incident Response vs Barely There Incident Response
- On SANS Forensics Survey
- Incident Plan vs Incident Planning?
- On Importance of Incident Response
- Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
- Time-tested Incident Response Wisdom?
- Incident Response: The Death of a Straight Line
- Alert-driven vs Exploration-driven Security Analysis
- My Next Research Area: Incident Response
- All posts tagged security incident response