Posted Jan 15, 01:28 PM by ben
Maybe I’m being a bit pedantic but there seems to be a recursive loop somewhere here. The information security lifecycle tends to be quoted as:
countermeasures/protect -> detect -> respond
prepare -> detect -> contain -> eradicate -> recover -> follow-up
While it makes logical sense to have detect as a stage in the entire IR process, that doesn’t mean it doesn’t deserve at least a chapter on the subject. And don’t you dare make that subject about snort. Indeed, detection can be broken up into stages just like IR. Since I’ve yet to come across any in my own reading here is my own process:
discover -> prioritize -> investigate -> escalate -> follow-up
// :: uncategorized/
Commenting is closed for this article.
This work by http://electricfork.com is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
I lead an information security ops and response team. This site is a collection of interesting notes and brainstorms on the protecting from, detecting of, and responding to badness. You can read more about me or my site here.
You can subscribe to my blog via rss 
, or if you're looking for older items check out my archive of previous posts.
I organize a small infosec meetup in baltimore called charmsec. If you are looking for charmsec details you probably want to go here.
RSS
I think the reason they focus on the other "stuff" is because it's sexy (like in the movies) to actually be on the hunt. I kind of equate the "detection/monitor" piece as being one of the "cold warriors" in a missle bunker... only called upon once shit hits the fan.
(BTW
— David · Jan 16, 09:00 AM · #