Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tmekelburg1
Community Champion
‎09-03-2020 02:58 PM
‎09-03-2020 02:58 PM

Event or Incident

I was listening to the Security Metrics podcast: 6 Phases of an Incident Response Plan during my usual lunch walk. Dave was describing the 2nd phase Identification and knowing if it's an incident or an event. He described both and gave examples of each. I pulled the definition of those from two different sources as a comparison.

 

"An event is any occurrence that can be observed, verified, and documented, whereas an incident is one or more related events that negatively affect the company and/or impact its security posture." 

 

Event - Any occurrence that takes place during a certain period of time
Incident - An event that has a negative outcome affecting the confidentiality, integrity, or availability of an organization’s data 

 

In regards to cyber security, has anyone ever experienced an event that didn't turn into an incident? Not counting false-positive alarms from a SIEM.

Reply
13 Replies
rslade
Influencer II
‎09-03-2020 03:31 PM
‎09-03-2020 03:31 PM

> tmekelburg1 (Newcomer III) posted a new topic in Tech Talk on 09-03-2020 02:58

>     In regards to cyber security,
> has anyone ever experienced an event that didn't turn into an incident?

Every browser crash or device reboot is an event. Most of them don't turn into
incidents.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
You can't depend on your eyes when your imagination is out of
focus. - Mark Twain
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Reply
tmekelburg1
Community Champion
‎09-03-2020 03:38 PM
‎09-03-2020 03:38 PM

Every browser crash or device reboot is an event. Most of them don't turn into
incidents.


Of course but I'm talking cyber security related, not technical glitches. 

Reply
0 Kudos
sergeling
Contributor I
‎09-03-2020 05:16 PM
‎09-03-2020 05:16 PM

For example, an externally facing web server with authentication/login workflow.
From the authentication log you see a failed login attempt, that's an event.
But since the login failed and did not cause breach, it's not incident.
Reply
0 Kudos
tmekelburg1
Community Champion
‎09-03-2020 06:12 PM
‎09-03-2020 06:12 PM

Good example, it could be a potential adversarial event that could escalate into an incident. Or it could be someone who forgot their password.

How about port scanning on Internet facing devices? I'd get the alert and monitor the situation but we really wouldn't escalate to an incident by itself.
Reply
0 Kudos
Caute_cautim
Community Champion
‎09-06-2020 02:33 AM
‎09-06-2020 02:33 AM

@tmekelburg1Its an observation, the source, if it can be defined accurately should be logged.  Or a Use case created to identify agreed actions or notifications due to a reconnaissance, which may later turn out into something more vigorous.

 

Regards

 

Caute_cautim

Reply
0 Kudos
tmekelburg1
Community Champion
‎09-06-2020 08:13 AM
‎09-06-2020 08:13 AM

@Caute_cautim wrote:

 or notifications due to a reconnaissance, which may later turn out into something more vigorous.

 

 

Absolutely, and it could be used as a distraction technique as well. Any more examples of a cyber security event that stays an event and wouldn't escalate into an incident?

 

Does anyone feel it's important that people outside of the IT world understand the difference and even go so far as correcting their language when used incorrectly? It personally doesn't bother me but to some it does.

Reply
chogan
Newcomer II
‎09-07-2020 02:26 PM
‎09-07-2020 02:26 PM

Event - Something that happens that gets logged.  Think of Windows Event Viewer.  A user logs on.  A service starts.  A server is restarted.  A packet is allowed through a firewall.

 

Incident - An event that violates policy.  A user attempts to logon outside of allowed hours or from outside of an allowed location.  An IPS signature is triggered.

 

Breach - Information is lost of disclosed.  CIA is compromised.  

Reply
tmekelburg1
Community Champion
‎09-07-2020 05:13 PM
‎09-07-2020 05:13 PM

Thanks for replying chogan!

What about a phishing email? Would the email delivered to the user's inbox be the event and it wouldn't escalate to an incident until the payload was activated? Or would you consider it an incident at the onset?
Reply
0 Kudos
denbesten
Community Champion
‎09-08-2020 09:01 AM
‎09-08-2020 09:01 AM

@tmekelburg1 wrote:
What about a phishing email? Would the email delivered to the user's inbox be the event and it wouldn't escalate to an incident until the payload was activated? Or would you consider it an incident at the onset?

Ask yourself if you have a policy that prohibits receipt of a phishing email.  If you do, then it would be an Incident.  Otherwise, it would be an event.  

 

If you actively filter bad emails with an "advanced threat protection" system, then bad things getting past it would be an incident.  However, if you depend upon your users to do the correct thing then it would only become an incident if the user reacts incorrectly.

Reply
0 Kudos