Blog

Updating your main database: your brain

June 10 2019

event, alert, and incident

Event, alert, and incident. What is the difference?

If you’ve been in information security for a while you’ve probably heard news saying things like the following on many occasions:

-          These logs are full of incidents that haven’t been reported!

-          How many event alerts make an incident?

-          I just got an event for the alert.

There is deep confusion -even among those in the field-about what constitutes an event, and alert, and an incident.

Here’s my breakdown based on analysis of many different industry definitions:

  • An event is an observed change to the normal behaviour of a system, environment, process, workflow or person. Examples: router ACLs were updated; firewall policy was pushed.
  • An alert is a notification that a particular event (or series of events) has occurred, which is sent to responsible parties for the purpose of spawning action. Examples: the events above sent to on-call personnel.
  • An incident is an event that negatively effects the confidentiality, integrity, and/or availability (CIA) at an organization in a way that impacts the business. Examples: attackers posts company credentials online, attacker steals customer credit card database, worm spreads through network.

Summary sentence: events are captured changes in the environment, alerts are notifications that specific events took place, and incidents are special events that negatively impact CIA and cause an impact the business.

Keys:

  1. It is possible to define incident in a number of ways based on the organization, and it’s ok for there to be some variance based on different organizational needs. But it will always be a special type of event that requires an organized and timely response.
  2. NIST and CERT define an incident as a violation of explicit or implied policy, and in my opinion that’s far too common in most organizations to be practical. When deciding how broad or narrow of a definition to use, consider that all incidents should spawn an IR response. If you’re not able to do that because there are thousands or millions of them per day or week, adjust your definition accordingly.
  3. Another important point on this definition of incident that I’m using is that it must impact the business. If it negatively affects CIA but there is no impact to the business, it seems strange to label that as an incident in the same way as something that does.
  4. CERT uses the NIST 800-61 definition of “An incident is the act of violating an explicit or implied security policy.”
  5. Many would-be incidents are either human-caused but non-malicious, or are human/malicious but don’t become an issue, but unless both are true simultaneously, they aren’t often handled by the information security department. E.g., earthquake, HR update.
  6. There is some debate on whether to call something an event if it was not captured. I’m in the camp that says you don’t, which is why I defined it as an *observed* change.
  7. “Disruption of business” doesn’t just mean that the business is unable to function; it could also mean that those running the business have completely lost their sanity and are demanding answers.

 

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read more