Chuck Leaver – Forensic Analysis And Incident Response Are Related But Different

Written By Roark Pollock And Presented By Ziften CEO Chuck Leaver


There may be a joke someplace regarding the forensic analyst that was late to the incident response celebration. There is the seed of a joke in the idea at least however naturally, you have to understand the distinctions between incident response and forensic analysis to appreciate the capacity for humor.

Incident response and forensic analysis are associated disciplines that can utilize similar tools and related data sets however also have some important distinctions. There are 4 particularly important differences between forensic analysis and incident response:

– Objectives.
– Requirements for data.
– Group abilities.
– Benefits.

The difference in the objectives of incident response and forensic analysis is maybe the most essential. Incident response is focused on determining a quick (i.e., near real time) reaction to an immediate threat or issue. For instance, a home is on fire and the firefighters that attend to put that fire out are involved in incident response. Forensic analysis is usually carried out as part of an arranged compliance, legal discovery, or police examination. For example, a fire detective might take a look at the remains of that house fire to determine the overall damage to the house, the reason for the fire, and whether the root cause was such that other homes are also facing the same risk. Simply put, incident response is focused on containment of a threat or problem, while forensic analysis is concentrated on a full understanding and comprehensive remediation of a breach.

A second major difference between the disciplines is the data resources needed to attain the objectives. Incident response groups usually only require short term data sources, often no greater than a month or so, while forensic analysis groups normally need a lot longer lived logs and files. Bear in mind that the average dwell time of an effective attack is someplace in between 150 and 300 days.

While there is commonness in the personnel abilities of incident response and forensic analysis teams, and in fact incident response is often thought about as a subset of the border forensic discipline, there are important distinctions in job requirements. Both types of research require strong log analysis and malware analysis abilities. Incident response needs the capability to quickly isolate a contaminated device and to develop methods to remediate or quarantine the device. Interactions have the tendency to be with other operations and security team members. Forensic analysis generally requires interactions with a much broader set of departments, consisting of legal, compliance, operations and HR.

Not remarkably, the viewed advantages of these activities likewise differ.

The capability to eliminate a risk on one machine in near real time is a significant determinate in keeping breaches isolated and restricted in impact. Incident response, and proactive danger searching, is first line of defense in security operations. Forensic analysis is incident responses’ less attractive relative. Nevertheless, the advantages of this work are undeniable. A comprehensive forensic examination permits the remediation of all hazards with the careful analysis of an entire attack chain of events. Which is no laughing matter.

Do your endpoint security procedures make provision for both immediate incident response, and long lasting historic forensic analysis?