Charles Leaver – Incident Response And Forensic Analysis Are Related But Different

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


There may be a joke someplace concerning the forensic analyst that was late to the incident response party. There is the seed of a joke in the concept at least but obviously, you have to comprehend the distinctions between incident response and forensic analysis to appreciate the capacity for humor.

Incident response and forensic analysis are related disciplines that can utilize comparable tools and associated data sets but likewise have some crucial differences. There are 4 particularly important differences between forensic analysis and incident response:

– Objectives.
– Data requirements.
– Group abilities.
– Advantages.

The distinction in the goals of forensic analysis and incident response is possibly the most essential. Incident response is focused on determining a quick (i.e., near real time) reaction to an instant danger or issue. For instance, a house is on fire and the firefighters that attend to put that fire out are associated with incident response. Forensic analysis is typically performed as part of an arranged compliance, legal discovery, or law enforcement investigation. For instance, a fire investigator may analyze the remains of that house fire to determine the total damage to the property, the cause of the fire, and whether the origin was such that other houses are likewise at risk. To puts it simply, incident response is focused on containment of a danger or concern, while forensic analysis is concentrated on a full understanding and comprehensive removal of a breach.

A second major difference between the disciplines is the data resources needed to accomplish the objectives. Incident response teams typically only require short term data sources, frequently no more than a month or so, while forensic analysis groups usually need a lot longer lived logs and files. Bear in mind that the average dwell time of an effective attack is somewhere in between 150 and 300 days.

While there is commonality in the workers abilities of incident response and forensic analysis groups, and in fact incident response is typically thought about as a subset of the border forensic discipline, there are very important differences in job requirements. Both types of research study need strong log analysis and malware analysis capabilities. Incident response requires the capability to quickly separate a contaminated device and to establish methods to remediate or quarantine the device. Interactions have the tendency to be with other security and operations employees. Forensic analysis typically needs interactions with a much broader set of departments, consisting of HR, compliance, operations and legal.

Not surprisingly, the perceived benefits of these activities likewise vary.

The capability to get rid of a risk on one machine in near real time is a significant determinate in keeping breaches separated and limited in impact. Incident response, and proactive hazard hunting, is first line of defense in security operations. Forensic analysis is incident responses’ less glamorous relative. Nevertheless, the benefits of this work are undeniable. An extensive forensic investigation permits the remediation of all threats with the mindful analysis of an entire attack chain of events. And that is nothing to laugh about.

Do your endpoint security procedures allow both immediate incident response, and long-lasting historical forensic analysis?

Leave a Reply

Your email address will not be published. Required fields are marked *