Incident Response And Forensic Analysis Are Related Activities And Both Necessary – Charles Leaver

By | March 22, 2017

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


There may be a joke somewhere concerning the forensic expert that was late to the incident response party. There is the seed of a joke in the concept at least however of course, you need to understand the distinctions between forensic analysis and incident response to appreciate the capacity for humor.

Incident response and forensic analysis are related disciplines that can utilize comparable tools and associated data sets but also have some essential distinctions. There are four especially essential distinctions between forensic analysis and incident response:

– Objectives.
– Requirements for data.
– Group skills.
– Advantages.

The distinction in the objectives of forensic analysis and incident response is possibly the most crucial. Incident response is focused on identifying a quick (i.e., near real time) reaction to an immediate risk or concern. For instance, a house is on fire and the firefighters that show up to put that fire out are involved in incident response. Forensic analysis is typically carried out as part of an arranged compliance, legal discovery, or police investigation. For example, a fire detective might take a look at the remains of that house fire to figure out the total damage to the home, the reason for the fire, and whether the root cause was such that other houses are also at risk. Simply put, incident response is concentrated on containment of a hazard or problem, while forensic analysis is concentrated on a full understanding and extensive remediation of a breach.

A 2nd major distinction between the disciplines is the data resources needed to accomplish the goals. Incident response groups typically only need short-term data sources, frequently no greater than a month or so, while forensic analysis groups normally require a lot longer lived logs and files. Bear in mind that the average dwell time of an effective attack is somewhere in between 150 and 300 days.

While there is commonality in the workers abilities of forensic analysis and incident response teams, and in fact incident response is often thought about as a subset of the border forensic discipline, there are very important differences in task requirements. Both kinds of research study require strong log analysis and malware analysis capabilities. Incident response requires the capability to quickly separate a contaminated device and to establish methods to remediate or quarantine the device. Interactions have the tendency to be with other operations and security staff member. Forensic analysis generally requires interactions with a much more comprehensive set of departments, including HR, compliance, operations and legal.

Not remarkably, the viewed advantages of these activities likewise differ.

The ability to remove a hazard on one device in near real time is a significant determinate in keeping breaches separated and limited in impact. Incident response, and proactive hazard hunting, is the first defense line in security operations. Forensic analysis is incident responses’ less glamorous relative. However, the advantages of this work are indisputable. An extensive forensic examination permits the remediation of all risks with the mindful analysis of a whole attack chain of events. And that is no laughing matter.

Do your endpoint security procedures accommodate both instant incident response, and long lasting historic forensic analysis?

Leave a Reply

Your email address will not be published. Required fields are marked *