The Big Picture of the Security Incident Cycle

The security incident cycle consists of 4 major interrelated phases: Plan, Resist, Detect and Respond. Organizations that struggle with security incidents often do so because they focus too much on one of the phrases, ignoring the rest.

I discussed the big picture of the security incident cycle at the SANS Forensics Blog, building upon the presentation I heard from Richard Bejtlich. I also outlined common failures related to the cycle: Pussyfoot Planning, Resolute Resistance, Dramatic Detection and Ravenous Response.

In addition to failing to devote proper attention to each phase of the security incident cycle, organizations often fail at knowing when and how to transition from one phase to another when dealing with an incident. The challenge is in part due to the differences in technologies and skill sets used in each phase, as well as in the different reporting structure of teams that need to collaborate when navigating the cycle.


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more