--- title: "Incident response - definition & overview" page_name: "Incident response" type: "glossary" slug: "incident-response" published_at: "2025-02-18" modified_at: "2025-09-26" url: "https://www.sumologic.com/glossary/incident-response" canonical: "https://www.sumologic.com/glossary/incident-response" markdown_url: "https://www.sumologic.com/glossary/incident-response.md" lang: "en" excerpt: "Explore what incident response is, why it's important, how it works, the six phases of incident response, and how it compares to disaster recovery. Learn how Sumo Logic is the ultimate tool for CSIRT teams, empowering security analysts and operators with log file aggregation that gives ultimate insight and transparency into network events and security incidents." --- [Glossary](/glossary)# Incident response [A](/glossary#A) [B](/glossary#B) [C](/glossary#C) [D](/glossary#D) [E](/glossary#E) [F](/glossary#F) [G](/glossary#G) [H](/glossary#H) [I](/glossary#I) [J](/glossary#J) [K](/glossary#K) [L](/glossary#L) [M](/glossary#M) [N](/glossary#N) [O](/glossary#O) [P](/glossary#P) [Q](/glossary#Q) [R](/glossary#R) [S](/glossary#S) [T](/glossary#T) [U](/glossary#U) [V](/glossary#V) [W](/glossary#W) [X](/glossary#X) [Y](/glossary#Y) [Z](/glossary#Z) ##### Table of contents ## What is incident response? Incident response is a documented, formalized set of policies and procedures for incident management across cyber attacks, security breaches and other types of IT or security incidents. When a security event or suspicious activity is detected, either by an IT operator or by your IT organization’s intrusion detection software or [SIEM](https://www.sumologic.com/guides/siem)[ tool](http://www.sumologic.com/glossary/siem-tools), an effective response can help protect valuable data assets, limit damage to internal systems and reduce the overall cost and impact of the security breach. ### Why incident response is important In the context of an enterprise IT organization, incident response tasks are usually conducted and managed by a computer security incident response team (CSIRT). These groups may contain security analysts, IT operators, IT managers and C-level executives that work together to establish an effective incident response plan (IRP) and execute it when a security incident is detected. A well-documented incident response process helps IT organizations move from a reactive to a proactive stance, with clear protocols for detecting, mitigating and eliminating security threats during incident handling. IT organizations should continually improve their incident response planning and processes to account for new threat intelligence and enhance their security posture against future incidents. Cyber security is an issue of significant importance for businesses and organizations that increasingly deploy critical applications and[ IT infrastructure](http://www.sumologic.com/glossary/it-infrastructure) in [hybrid cloud](http://www.sumologic.com/glossary/hybrid-cloud) environments. While modern methods of computing are both efficient and cost-effective, increasingly disparate cloud-based infrastructure may expose security vulnerabilities that become attack vectors for cyber attacks. A complete incident response strategy is necessary to respond effectively to the range of security incidents that can be detected in these environments. From a [cyber security](http://www.sumologic.com/glossary/cyber-security) perspective, the proliferation of big data has made financially motivated cyber attackers keener on trying to steal data from businesses. With security incidents and data breaches on the rise, most enterprise organizations have invested heavily in IT security to shore up its defenses. In turn, cyber attackers have started to go after small and medium-sized businesses that may have weaker countermeasures and incident response processes in place to deal with cyber attacks. While some security incidents or cyber attacks can be prevented or mitigated outright, IT organizations must have the proper incident response processes in place to deal with cyber security threats in a timely way and prevent the massive financial and legal repercussions that can accompany a data breach. ### What is an incident response team? A computer security incident response team (CSIRT) is a working group of IT professionals responsible for incident handling and incident management across an organization. CSIRT teams are multi-disciplinary and cross-functional – they contain members from different areas of IT and the business who provide different perspectives and complementary skill sets. The most important responsibilities of CSIRT teams include: - Establishing, maintaining and continually improving a documented incident response plan - Investigating security incidents - Conducting forensic analysis of past security incidents - Facilitating internal communications between the IT organization and users in regard to current, ongoing and resolved incidents through a structured communication plan - Communicating with other stakeholders about the results of incidents, liaising with threat intelligence organizations, shareholders, customers, media, government, etc. - Mitigating incidents and managing incident recovery - Reviewing results and recommending new policies, processes, technology, training or roles to improve the IT organization’s security posture against future incidents ### Six phases of incident response planning Many IT organizations carry out incident response planning according to a six-phase process described by the SANS Institute, an organization that specializes in providing computer security training and certifications. The six phases can be understood as follows: 1. **Preparation** – Ensuring that users, IT staff and members of the CSIRT are ready to handle any potential incidents that could arise 2. **Identification** – Establishing criteria for determining whether a security event qualifies as an IT or security incident 3. **Containment** – Processes for limiting the damage caused by a security incident, including quarantine of the affected systems and infrastructure components 4. **Eradication** – Processes for determining the origin or root cause of the incident and removing the affected systems from the live environment 5. **Recovery** – Removing the threat from affected systems and deploying those systems back into the live environment when it is verified that no threat remains 6. **Lessons learned** – Capturing data from the process to learn more about the incident and improve future response through modifications to the IRP Incident response plans also typically contain a defined breach notification process that establishes how the CSIRT will communicate to users, customers and other stakeholders about a breach. There should also be provisions for testing the system, including running drills and simulations to ensure that members of the CSIRT can function effectively in their roles when a genuine incident occurs. ### Incident response vs. disaster recovery When it comes to cyber security issues, there are events, incidents and disasters. An event is anything that happened – it might be an incident or it might not. An incident means that a security threat was detected and needs to be investigated, while a disaster means that a threat was detected and **the threat damaged business continuity**. This distinction explains the difference between incident response and disaster recovery. Incident response is a coordinated plan for responding to incidents with the goal of mitigating damage and reducing costs. Disaster recovery is all about getting the business back online after an unplanned interruption caused by a security incident. ### Sumo Logic delivers automated incident response functionality Sumo Logic is the ultimate tool for CSIRT teams, empowering security analysts and operators with [log file aggregation](http://www.sumologic.com/solutions/log-management) that gives ultimate insight and transparency into network events and security incidents. In addition to customer alerts, benchmarking and an automated ticket system for capturing incident reports, Sumo Logic offers enhanced [threat detection](http://www.sumologic.com/solutions/threat-detection-investigation) with [machine learning](http://www.sumologic.com/glossary/machine-learning), integrated [threat intelligence](http://www.sumologic.com/glossary/threat-intelligence) and automated incident response capabilities. ### FAQs How does cloud security monitoring automate incident response?+When an alert is triggered based on suspicious activity or a security breach in the cloud environment, [cloud security monitoring](https://www.sumologic.com/glossary/cloud-security-monitoring) solutions [automate security incident response](https://www.sumologic.com/blog/how-to-implement-incident-response-automation-the-right-way) by using predefined rules and remediation [playbooks](https://www.sumologic.com/blog/flexible-incident-response-playbooks-for-any-situation) to detect and automatically respond to security incidents swiftly and effectively. How can I evaluate the effectiveness of a cloud security monitoring solution?+- Conduct routine audits - Test your incident response procedures regularly - Confirm you have visibility into all cloud assets and activities - Ensure it meets industry [compliance](https://www.sumologic.com/video/compliance-made-easy/) standards and regulations - Verify it covers all aspects of cloud security, including [threat detection](https://www.sumologic.com/glossary/threat-detection-response), vulnerability management and data protection - Turn on [real-time alerting](https://www.sumologic.com/blog/ai-driven-low-noise-alerts) - Implement continuous monitoring How do SIEM tools work?+SIEM delivers superior incident response and enterprise security outcomes through several key capabilities, including: **Data collection** – SIEM tools aggregate event and system logs and security data from various sources and applications in one place. **Correlation** – SIEM tools use various correlation techniques to link bits of data with common attributes and help turn that data into actionable information for SecOps teams. **Alerting** – SIEM tools can be configured to automatically alert SecOps or IT teams when predefined signals or patterns are detected that might indicate a security event. **Data retention** – SIEM tools are designed to store large volumes of log data, ensuring that security teams can correlate data over time and enabling forensic investigations into threats or cyber-attacks that may have initially gone undetected. **Parsing, log normalization and categorization** – SIEM tools make it easier for organizations to parse through logs that might have been created weeks or even months ago. Parsing, log normalization and categorization are additional features of SIEM tools that make logs more searchable and help to enable forensic analysis, even with millions of log entries to sift through. [AI Instructions](https://www.sumologic.com/ai-instructions.md)