cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tmekelburg1
Community Champion

Event or Incident

I was listening to the Security Metrics podcast: 6 Phases of an Incident Response Plan during my usual lunch walk. Dave was describing the 2nd phase Identification and knowing if it's an incident or an event. He described both and gave examples of each. I pulled the definition of those from two different sources as a comparison.

 

"An event is any occurrence that can be observed, verified, and documented, whereas an incident is one or more related events that negatively affect the company and/or impact its security posture." 

 

Event - Any occurrence that takes place during a certain period of time
Incident - An event that has a negative outcome affecting the confidentiality, integrity, or availability of an organization’s data 

 

In regards to cyber security, has anyone ever experienced an event that didn't turn into an incident? Not counting false-positive alarms from a SIEM.

11 Replies
tmekelburg1
Community Champion


@denbesten wrote:
Ask yourself if you have a policy that prohibits receipt of a phishing email.  

As soon as I get one drafted, I'll send it to the threat actors for their signature and acknowledgment! I'm kidding, I know what you mean lol. 

 



If you actively filter bad emails with an "advanced threat protection" system, then bad things getting past it would be an incident.  However, if you depend upon your users to do the correct thing then it would only become an incident if the user reacts incorrectly.


In our case, we filter email and depend on our users to apply their security awareness training skills. Some phishing emails still get through. This could be one of those grey areas where the view point of an incident or event would change between organizations.

chogan
Newcomer II

When I look as the message log on my email gateway, I see a list of emails.  Some were allowed, some were blocked.  I consider all of those to be events.

 

We instruct users to report any malicious emails they receive.  These I create incidents for, so that we can investigate how they made it through our filters and see if there is any action we can take to prevent them in the future.