Understanding The Distinction Between Incident Response And Forensic Analysis – Charles Leaver

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


There might be a joke someplace regarding the forensic analyst that was late to the incident response celebration. There is the seed of a joke in the idea at least however obviously, you have to understand the distinctions between incident response and forensic analysis to appreciate the capacity for humor.

Forensic analysis and incident response are related disciplines that can utilize comparable tools and associated data sets however likewise have some crucial differences. There are four particularly important differences between forensic analysis and incident response:

– Goals.
– Data requirements.
– Group skills.
– Advantages.

The distinction in the goals of forensic analysis and incident response is perhaps the most crucial. Incident response is focused on figuring out a quick (i.e., near real time) reaction to an instant risk or concern. For instance, a home is on fire and the firefighters that show up to put that fire out are involved in incident response. Forensic analysis is typically performed as part of a scheduled compliance, legal discovery, or police investigation. For example, a fire detective may take a look at the remains of that house fire to determine the overall damage to the house, the reason for the fire, and whether the source was such that other houses are likewise facing the same risk. In other words, incident response is concentrated on containment of a danger or problem, while forensic analysis is concentrated on a full understanding and extensive removal of a breach.

A 2nd major distinction between the disciplines is the data resources required to attain the goals. Incident response teams normally only need short-term data sources, typically no greater than a month or so, while forensic analysis teams usually need much longer lived logs and files. Remember that the typical dwell time of an effective attack is somewhere between 150 and 300 days.

While there is commonness in the workers abilities of incident response and forensic analysis groups, and in fact incident response is often considered a subset of the border forensic discipline, there are essential distinctions in task requirements. Both kinds of research require strong log analysis and malware analysis capabilities. Incident response needs the ability to quickly isolate a contaminated device and to develop means to reconcile or quarantine the device. Interactions tend to be with other operations and security staff member. Forensic analysis generally requires interactions with a much broader set of departments, including compliance, HR, legal and operations.

Not remarkably, the perceived advantages of these activities also differ.

The ability to get rid of a risk on one device in near real-time is a significant determinate in keeping breaches isolated and restricted in impact. Incident response, and proactive danger searching, is the first defense line in security operations. Forensic analysis is incident responses’ less attractive relative. However, the benefits of this work are indisputable. A thorough forensic examination allows the removal of all dangers with the cautious analysis of an entire attack chain of events. Which is no laughing matter.

Do your endpoint security processes allow both instant incident response, and long-lasting historic forensic analysis?

Leave a Reply

Your email address will not be published. Required fields are marked *