cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tmekelburg1
Community Champion

Event or Incident

I was listening to the Security Metrics podcast: 6 Phases of an Incident Response Plan during my usual lunch walk. Dave was describing the 2nd phase Identification and knowing if it's an incident or an event. He described both and gave examples of each. I pulled the definition of those from two different sources as a comparison.

 

"An event is any occurrence that can be observed, verified, and documented, whereas an incident is one or more related events that negatively affect the company and/or impact its security posture." 

 

Event - Any occurrence that takes place during a certain period of time
Incident - An event that has a negative outcome affecting the confidentiality, integrity, or availability of an organization’s data 

 

In regards to cyber security, has anyone ever experienced an event that didn't turn into an incident? Not counting false-positive alarms from a SIEM.

13 Replies
rslade
Influencer II

> tmekelburg1 (Newcomer III) posted a new topic in Tech Talk on 09-03-2020 02:58

>     In regards to cyber security,
> has anyone ever experienced an event that didn't turn into an incident?

Every browser crash or device reboot is an event. Most of them don't turn into
incidents.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
You can't depend on your eyes when your imagination is out of
focus. - Mark Twain
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
tmekelburg1
Community Champion

Every browser crash or device reboot is an event. Most of them don't turn into
incidents.



Of course but I'm talking cyber security related, not technical glitches. 

sergeling
Contributor I

For example, an externally facing web server with authentication/login workflow.
From the authentication log you see a failed login attempt, that's an event.
But since the login failed and did not cause breach, it's not incident.
tmekelburg1
Community Champion

Good example, it could be a potential adversarial event that could escalate into an incident. Or it could be someone who forgot their password.

How about port scanning on Internet facing devices? I'd get the alert and monitor the situation but we really wouldn't escalate to an incident by itself.
Caute_cautim
Community Champion

@tmekelburg1Its an observation, the source, if it can be defined accurately should be logged.  Or a Use case created to identify agreed actions or notifications due to a reconnaissance, which may later turn out into something more vigorous.

 

Regards

 

Caute_cautim

tmekelburg1
Community Champion


@Caute_cautim wrote:

 or notifications due to a reconnaissance, which may later turn out into something more vigorous.

 

 


Absolutely, and it could be used as a distraction technique as well. Any more examples of a cyber security event that stays an event and wouldn't escalate into an incident?

 

Does anyone feel it's important that people outside of the IT world understand the difference and even go so far as correcting their language when used incorrectly? It personally doesn't bother me but to some it does.

chogan
Newcomer II

Event - Something that happens that gets logged.  Think of Windows Event Viewer.  A user logs on.  A service starts.  A server is restarted.  A packet is allowed through a firewall.

 

Incident - An event that violates policy.  A user attempts to logon outside of allowed hours or from outside of an allowed location.  An IPS signature is triggered.

 

Breach - Information is lost of disclosed.  CIA is compromised.  

tmekelburg1
Community Champion

Thanks for replying chogan!

What about a phishing email? Would the email delivered to the user's inbox be the event and it wouldn't escalate to an incident until the payload was activated? Or would you consider it an incident at the onset?
denbesten
Community Champion


@tmekelburg1 wrote:
What about a phishing email? Would the email delivered to the user's inbox be the event and it wouldn't escalate to an incident until the payload was activated? Or would you consider it an incident at the onset?

Ask yourself if you have a policy that prohibits receipt of a phishing email.  If you do, then it would be an Incident.  Otherwise, it would be an event.  

 

If you actively filter bad emails with an "advanced threat protection" system, then bad things getting past it would be an incident.  However, if you depend upon your users to do the correct thing then it would only become an incident if the user reacts incorrectly.