I was listening to the Security Metrics podcast: 6 Phases of an Incident Response Plan during my usual lunch walk. Dave was describing the 2nd phase Identification and knowing if it's an incident or an event. He described both and gave examples of each. I pulled the definition of those from two different sources as a comparison.
"An event is any occurrence that can be observed, verified, and documented, whereas an incident is one or more related events that negatively affect the company and/or impact its security posture."
Event - Any occurrence that takes place during a certain period of time
Incident - An event that has a negative outcome affecting the confidentiality, integrity, or availability of an organization’s data
In regards to cyber security, has anyone ever experienced an event that didn't turn into an incident? Not counting false-positive alarms from a SIEM.
Every browser crash or device reboot is an event. Most of them don't turn into
Of course but I'm talking cyber security related, not technical glitches.
@tmekelburg1Its an observation, the source, if it can be defined accurately should be logged. Or a Use case created to identify agreed actions or notifications due to a reconnaissance, which may later turn out into something more vigorous.
or notifications due to a reconnaissance, which may later turn out into something more vigorous.
Absolutely, and it could be used as a distraction technique as well. Any more examples of a cyber security event that stays an event and wouldn't escalate into an incident?
Does anyone feel it's important that people outside of the IT world understand the difference and even go so far as correcting their language when used incorrectly? It personally doesn't bother me but to some it does.
Event - Something that happens that gets logged. Think of Windows Event Viewer. A user logs on. A service starts. A server is restarted. A packet is allowed through a firewall.
Incident - An event that violates policy. A user attempts to logon outside of allowed hours or from outside of an allowed location. An IPS signature is triggered.
Breach - Information is lost of disclosed. CIA is compromised.
What about a phishing email? Would the email delivered to the user's inbox be the event and it wouldn't escalate to an incident until the payload was activated? Or would you consider it an incident at the onset?
Ask yourself if you have a policy that prohibits receipt of a phishing email. If you do, then it would be an Incident. Otherwise, it would be an event.
If you actively filter bad emails with an "advanced threat protection" system, then bad things getting past it would be an incident. However, if you depend upon your users to do the correct thing then it would only become an incident if the user reacts incorrectly.