If you’ve been in information security for a while you’ve probably heard something like the following phrases many times:
These logs are full of incidents that haven’t been reported!
How many events make an incident?
I just got an event for the alert…
< cringe />
There is deep confusion—even among those in the field—about what constitutes an event, an alert, and an incident. Here’s a basic breakdown:
- An event is an observed change to the normal behavior of a system, environment, process, workflow or person. Examples: router ACLs were updated, firewall policy was pushed.
- An alert is a notification that a particular event (or series of events) has occurred, which is sent to responsible parties for the purpose of spawning action. Examples: the events above sent to on-call personnel.
- An incident is a human-caused, malicious event that leads to (or may lead to) a significant disruption of business. Examples: attacker posts company credentials online, attacker steals customer credit card database, worm spreading through network.*
[ NOTE: All incidents are events, but all events are not incidents. ]
If you had to capture it in one sentence, I’d go with this:
Events are captured changes in the environment, alerts are notifications that specific events took place, and incidents are special events that are 1) caused maliciously by a human, and 2) (may)disrupt the business in a significant way.
Hope this helps.
[ CREATED: January 25, 2015 ]
- It is possible to define incident in a number of ways based on the organization, but it will always be a special type of event that requires an organized and timely response.
- Many would-be incidents are either human-caused but non-malicious, or are human/malicious but don’t become an issue, but unless both are true simultaneously they aren’t often handled by the information security department. E.g., earthquake, HR update.
- There is some debate on whether to call something an event if it was not captured. I’m in the camp that says you don’t, which is why I defined it as an *observed* change.
- “Disruption of business” doesn’t just mean that the business is unable to function; it could also mean that those running the business have completely lost their sanity and are demanding answers.