Blog post

Our “How to Plan and Execute Modern Security Incident Response” Publishes

By Anton Chuvakin | April 11, 2016 | 2 Comments


Our updated security incident response (IR) paper, now renamed “How to Plan and Execute Modern Security Incident Response” (Gartner GTP access required) has just published.

Some fun quotes follow below:

  • “Effective security IR fuses together technical and nontechnical resources, which are bound by the incident response policy, procedures and plans. Most organizations have an underdeveloped and underfunded incident response strategy and capability.”
  • “This advice — to create an IR plan, now nearly a quarter of a century old — is certainly not heeded by all organizations; organizations continue to struggle with the right amount of information and the right scope of their incident response plans. […] Furthermore, the “aha” moment for many organizations is in drawing the line between “doing the planning” and “having a plan.”
  • “Anecdotal evidence suggests that incidents for which organizations have specifically planned for and prepared for end up costing less than those the organizations did not think of. “
  • “Gartner clients reported that one of the biggest mind shifts and incident response practice changes was the increased role of accurately scoping the incident.”
  • “Even organizations that complain that they are “drowning in data” probably need more visibility-focused tools [such as SIEM, EDR, UBA / UEBA, etc], if not more data [for their IR efforts].”
  • “The cross-silo nature of modern IR is further emphasized in cases of real APT intrusions. Looking at logs, traffic, endpoints, and user and application activity is often essential to uncovering subtle intruder traces.”


Related blog posts announcing research publication:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Todd Weller says:

    This was a great report….read it yesterday! Must read….not only informative but your style makes it fun to read too!