Chuck Leaver – The Important Distinction Between Incident Response And Forensic Analysis

Written By Roark Pollock And Presented By Ziften CEO Chuck Leaver


There may be a joke somewhere regarding the forensic expert that was late to the incident response party. There is the seed of a joke in the idea at least but of course, you have to comprehend the distinctions between forensic analysis and incident response to appreciate the capacity for humor.

Incident response and forensic analysis are associated disciplines that can utilize similar tools and associated data sets however also have some important differences. There are 4 particularly essential differences between forensic analysis and incident response:

– Objectives.
– Requirements for data.
– Team abilities.
– Benefits.

The distinction in the objectives of incident response and forensic analysis is perhaps the most important. Incident response is focused on determining a fast (i.e., near real-time) reaction to an instant risk or issue. For example, a house is on fire and the firemen that show up to put that fire out are associated with incident response. Forensic analysis is normally carried out as part of an arranged compliance, legal discovery, or law enforcement examination. For example, a fire investigator may examine the remains of that house fire to determine the total damage to the property, the cause of the fire, and whether the origin was such that other houses are likewise at risk. Simply put, incident response is concentrated on containment of a danger or issue, while forensic analysis is concentrated on a full understanding and comprehensive removal of a breach.

A 2nd significant difference between the disciplines is the data resources required to achieve the objectives. Incident response teams typically just need short-term data sources, frequently no more than a month or so, while forensic analysis teams usually need much longer lived logs and files. Remember that the typical dwell time of an effective attack is someplace in between 150 and 300 days.

While there is commonness in the workers skills of incident response and forensic analysis teams, and in fact incident response is typically considered a subset of the border forensic discipline, there are important differences in task requirements. Both types of research require strong log analysis and malware analysis abilities. Incident response requires the ability to rapidly isolate a contaminated device and to develop ways to reconcile or quarantine the device. Interactions have the tendency to be with other security and operations staff member. Forensic analysis typically requires interactions with a much broader set of departments, consisting of legal, compliance, operations and HR.

Not remarkably, the perceived advantages of these activities also differ.

The capability to get rid of a hazard on one device in near real time is a significant determinate in keeping breaches separated and limited in impact. Incident response, and proactive hazard searching, is the first defense line in security operations. Forensic analysis is incident responses’ less attractive relative. Nevertheless, the benefits of this work are undeniable. A comprehensive forensic investigation permits the removal of all dangers with the mindful analysis of an entire attack chain of events. Which is no laughing matter.

Do your endpoint security processes make provision for both instant incident response, and long-lasting historical forensic analysis?


No Responses Yet to “Chuck Leaver – The Important Distinction Between Incident Response And Forensic Analysis”

Leave a Reply