Charles Leaver – What’s The Key Difference Between Forensic Analysis And Incident Response?

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


There might be a joke someplace concerning the forensic analyst that was late to the incident response party. There is the seed of a joke in the idea at least but naturally, you need to comprehend the differences between forensic analysis and incident response to appreciate the potential for humor.

Forensic analysis and incident response are associated disciplines that can leverage comparable tools and related data sets but likewise have some important distinctions. There are four especially important distinctions between incident response and forensic analysis:

– Objectives.
– Requirements for data.
– Team abilities.
– Advantages.

The distinction in the objectives of incident response and forensic analysis is possibly the most important. Incident response is concentrated on figuring out a fast (i.e., near real-time) reaction to an immediate threat or concern. For example, a home is on fire and the firemen that show up to put that fire out are involved in incident response. Forensic analysis is usually performed as part of a scheduled compliance, legal discovery, or law enforcement investigation. For example, a fire investigator may examine the remains of that house fire to identify the total damage to the property, the cause of the fire, and whether the origin was such that other homes are also at risk. To puts it simply, incident response is focused on containment of a threat or concern, while forensic analysis is concentrated on a full understanding and thorough removal of a breach.

A 2nd significant difference between the disciplines is the data resources needed to attain the goals. Incident response groups typically just require short-term data sources, often no greater than a month or so, while forensic analysis teams typically need a lot longer lived logs and files. Keep in mind that the average dwell time of an effective attack is somewhere in between 150 and 300 days.

While there is commonness in the workers abilities of incident response and forensic analysis teams, and in fact incident response is frequently considered a subset of the border forensic discipline, there are important differences in job requirements. Both kinds of research study require strong log analysis and malware analysis capabilities. Incident response needs the ability to rapidly separate an infected device and to establish ways to reconcile or quarantine the device. Interactions tend to be with other operations and security staff member. Forensic analysis normally needs interactions with a much broader set of departments, consisting of HR, compliance, operations and legal.

Not remarkably, the perceived advantages of these activities likewise differ.

The ability to eliminate a danger on one machine in near real time is a significant determinate in keeping breaches isolated and restricted in effect. Incident response, and proactive danger hunting, is first line of defense in security operations. Forensic analysis is incident responses’ less glamorous relative. However, the advantages of this work are undeniable. A comprehensive forensic examination allows the removal of all threats with the careful analysis of a whole attack chain of events. And that is nothing to laugh about.

Do your endpoint security processes accommodate both instant incident response, and long-term historical forensic analysis?