I had the opportunity to work with Anton on updating one of his best documents, “How to Plan and Execute Modern Security Incident Response”, which was published today on Gartner.com (GTP Access required). The document is a nice assessment of what organizations should be doing in terms of incident response today. It covers some of the basics, but also the changes we’ve been seeing in those practices in the past couple of years, especially the move to continuous IR. As we say there,
“The traditional route of detecting incidents using security monitoring technologies is not the whole answer to today’s threat landscape, which is laden with skilled and persistent threat actors. Leading organizations don’t just develop excellent security monitoring capabilities that operate in near-real time (such as mature SOC capabilities based on SIEM tools). They also seek to explore the data they collect in order to discover — rather than detect in real time — incidents that their own detection controls missed.”
This is just one of the juicy bits from the document. You can read more about in Anton’s blog.