Gartner Blog Network

Our “Solution Path for Implementing Threat Detection and Incident Response” Publishes

by Anton Chuvakin  |  January 22, 2019  |  1 Comment

As you can see below, we have written a lot of research over the years, and it would be handy to have a roadmap for the readers. This is especially useful for organizations that are in the phase of “OMG WHAT TO DO WITH ALL THIS CYBER?” phase of their security journey (which, BTW, is not that rare even in 2019 … yes, really!). So, Gartner GTP has a document type called a Solution Path that delivers just that!

Here is our “Solution Path for Implementing Threat Detection and Incident Response.” (Gartner GTP access required).

In the abstract, we say: “Increased complexity and frequency of attacks, along with historical overreliance on preventative controls, elevate the need for detection and incident response capabilities. This Solution Path helps technical professionals evolve the processes, tools and skills for performing these activities.”

SP-2019-366328 0001

My favorite quotes are below:

  • “Detection technologies such as SIEM, EDR and NTA are effective only when use cases are appropriately defined, implemented and tuned. A process to manage security monitoring use cases is a prerequisite for the success of any detection capability.” [A.C. – naturally, the process is very light-weight for those just starting up]
  • “Security architectures have evolved from a strong focus on preventative capabilities to a more balanced approach covering prevention, detection, response and prediction capabilities.The balanced approach recognizes that it is impossible to stop all attacks, and that detection and response must work efficiently to reduce the harm from successful attacks.” [A.C. – now, this is painfully obvious to you, my esteemed reader, but I assure you – this is NEW INSIGHT for a wide swath of IT organizations out there in the real world]
  • “To start, Gartner recommends using your own security incident history, security incidents of your peers and regulatory pressure to justify initiating your detection and response effort.” [A.C. – as I pathetically whined before, we have seen examples where past incidents AT THEIR OWN organization were insufficient to motivate security improvements. In this fringe case, I suspect nothing will help until this org is literally hacked out of business]
  • “Organizations must ensure that technology deployment keeps pace with growth in operational practice maturity.” [A.C. – what pithy things I can say here? 🙂 This one is kinda a big deal!”]
  • ”Every threat detection and response practice requires at least basic, human-led alert triage processes to be in place.”
  • “Whether it is a standing computer incident response team (CIRT) of 30 people or a single part-time responder, having a dedicated point of contact and, hopefully, a center of excellence for security incident response is essential today.”
  • “Many organizations will never check if the security controls they put in place are actually working as intended. This approach does not work well today — in fact, it never really did.”

Enjoy! Please provide feedback via

Other posts announcing paper publication:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: announcement  detection  incident-response  monitoring  security  testing  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on Our “Solution Path for Implementing Threat Detection and Incident Response” Publishes

  1. […] Our “Solution Path for Implementing Threat Detection and Incident Response” Publishes (security monitoring research) […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.