The Big Picture of the Security Incident Cycle

The security incident cycle consists of 4 major interrelated phases: Plan, Resist, Detect and Respond. Organizations that struggle with security incidents often do so because they focus too much on one of the phrases, ignoring the rest.

I discussed the big picture of the security incident cycle at the SANS Forensics Blog, building upon the presentation I heard from Richard Bejtlich. I also outlined common failures related to the cycle: Pussyfoot Planning, Resolute Resistance, Dramatic Detection and Ravenous Response.

In addition to failing to devote proper attention to each phase of the security incident cycle, organizations often fail at knowing when and how to transition from one phase to another when dealing with an incident. The challenge is in part due to the differences in technologies and skill sets used in each phase, as well as in the different reporting structure of teams that need to collaborate when navigating the cycle.


About the Author

Lenny Zeltser is a seasoned business and tech leader with extensive cybersecurity experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. Beforehand, he was responsible for security product management at NCR Corp. Lenny also trains incident response and digital forensics professionals at SANS Institute. An engaging presenter, he speaks at industry events, writes articles and has co-authored books. Lenny has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more