Blog post

Incident Response Becomes Threat Response … OR Does It: IR Research Commencing

By Anton Chuvakin | February 05, 2016 | 0 Comments

securityincident responseannouncement

As planned, we are starting our research effort on EDR, but also one on security incident response (IR), a topic we last touched in 2013. Most likely, we will be updating our document titled “Security Incident Response in the Age of APT” [Gartner GTP access required] and possibly, but not likely, creating a new document too.

However, in our security IR (#DFIR) research, we are facing a conundrum. A lot of our client inquiries are about the very basics of IR (think “basics of basic IR”), mostly asked by those organizations recovering from a dire malaise of “prevention-only” security [please, please, please FINALLY get the memo: you cannot prevent all threats!].IR-book-stand For these problems, existing Gartner coverage, such as Rob’s excellent “Six Decisions You Must Make to Prepare for a Security Incident” and “How to Write a Security Incident Response Procedure Document” [Gartner access required] are prefectly adequate. I sometimes joke that for many of these IR “problems”, an ancient NIST 800-3 from 1991 (!) will work just fine…

On the other hand, we do get some [read: very, very few] inquiries from the opposite end of the spectrum, where organizations refine their already-excellent IR processes, decide which SIRP to buy, deal with IR in some extra-challenging environments (such as public cloud, for example) or – generally the most exciting – fight it out with real APTs in the trenches of their own IT environment. Unfortunately, these clients are uncommon because – let’s be honest here – for most organizations that encounter an APT in a dark alley, the only approach is to call “the firm with the name that starts with ‘M'” and hope for the best …

As a result, we ended up with the document which is somewhat helpful to BOTH of the above – that is our current work “Security Incident Response in the Age of APT.” However, we do see the limitations of this approach. We can either write our own “basic guide to advanced IR” (this phrase is “borrowed” from this excellent work) or go back to writing a newly structured approach to security incident response basics….

So, any advice for us on this?!

Posts related to the same research project:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed