I was listening to the Security Metrics podcast: 6 Phases of an Incident Response Plan during my usual lunch walk. Dave was describing the 2nd phase Identification and knowing if it's an incident or an event. He described both and gave examples of each. I pulled the definition of those from two different sources as a comparison.
"An event is any occurrence that can be observed, verified, and documented, whereas an incident is one or more related events that negatively affect the company and/or impact its security posture."
Event - Any occurrence that takes place during a certain period of time
Incident - An event that has a negative outcome affecting the confidentiality, integrity, or availability of an organization’s data
In regards to cyber security, has anyone ever experienced an event that didn't turn into an incident? Not counting false-positive alarms from a SIEM.
@denbesten wrote:Ask yourself if you have a policy that prohibits receipt of a phishing email.
As soon as I get one drafted, I'll send it to the threat actors for their signature and acknowledgment! I'm kidding, I know what you mean lol.
If you actively filter bad emails with an "advanced threat protection" system, then bad things getting past it would be an incident. However, if you depend upon your users to do the correct thing then it would only become an incident if the user reacts incorrectly.
In our case, we filter email and depend on our users to apply their security awareness training skills. Some phishing emails still get through. This could be one of those grey areas where the view point of an incident or event would change between organizations.
When I look as the message log on my email gateway, I see a list of emails. Some were allowed, some were blocked. I consider all of those to be events.
We instruct users to report any malicious emails they receive. These I create incidents for, so that we can investigate how they made it through our filters and see if there is any action we can take to prevent them in the future.
Before I studied for my CISSP, I did not realize that availability is one of the principles of InfoSec. An application crashing or a reboot are events that affect availability so they are InfoSec/cybersecurity events. C and I get most of the focus (the OSG mentions something to that effect, and it generally is true) but don't forget the A.
Incidents may or may not be serious and thus may or may not need to be reported to senior mgmt, regulatory authorities, law enforcement, etc. For example, you have a public web server that was port scanned by an IP address from X country. Is it an incident? Yes. Does it need to be reported, probably not since your public web server is by design exposed to the internet. If the attacker actually breached the network by exploiting a vulnerability on the web server, that should be considered a major and reportable incident.
About incidents, NIST has a few definitions with some minute differences which don't line up exactly with the CISSP OSG definition. A few here:
Event comes first before the incident.
some events are not incident, for example an authorized user that forgot his password.
tried to log so many times but failed and got blocked.