Sign up for a live Kubernetes or DevSecOps demo

Click here

DevOps Glossary

Incident Response

What is Incident Response?

Incident Response is a documented, formalized set of policies and procedures for managing cyber attacks, security breaches and other types of IT or security incidents. When a cyber attack is detected, either by an IT operator or by your IT organization's intrusion detection software or SIEM tool, effective handling of the situation can help to protect valuable data assets, limit damage to internal systems and reduce the overall cost and impact of the security breach.

In the context of an enterprise IT organization, incident response tasks are usually conducted and managed by a computer security incident response team (CSIRT). These groups may contain security analysts, IT operators, IT managers and C-level executives that work together to establish an effective incident response plan (IRP) and execute it when a security incident is detected.

Incident response planning helps IT organizations approach security incidents from a state of readiness, with clear protocols for detecting, mitigating and eliminating security threats. IT organizations should continually improve their incident response planning and processes to account for new threat intelligence and enhance their security posture against future incidents.

Why Incident Response is Important

Cyber security is an issue of significant importance for businesses and organizations who increasingly deploy critical applications and IT infrastructure in hybrid cloud environments. While modern methods of computing are both efficient and cost-effective, increasingly disparate cloud-based infrastructure may expose security vulnerabilities that become attack vectors for cyber attacks. A complete incident response strategy is necessary to respond effectively to the range of security incidents that can be detected in these environments.

The rapid growth of global data is also driving adoption rates of incident response planning. Proliferation of digital technologies and an increase in data generation, collection and capture mean that humans are creating and storing more data than ever before. How much more? In 2010, humans had generated a total of 1.2 zettabytes of data according to one report - that's 1.2 trillion gigabytes. By 2015, the total had increased to 7.9 zettabytes, and is expected to reach 35 zettabytes by 2020.

From a cyber security perspective, the proliferation of big data has made financially motivated cyber attackers more keen on trying to steal data from businesses. In 2005, there were just 157 reported data breaches in the United States. In 2010, the figured had climbed to 662, and it continued to climb through to 2017, a year in which over 1500 data breaches were reported.

With security incidents and data breaches on the rise, most enterprise organizations have invested heavily in IT security to shore up their defenses. In turn, cyber attackers have started to go after small and medium-sized businesses who may have weaker countermeasures and incident response processes in place to deal with cyber attacks.

While some security incidents or cyber attacks can be prevented or mitigated outright, IT organizations must have the proper incident response processes in place to deal with cyber security threats in a timely way and prevent the massive financial and legal repercussions that can accompany a data breach.

What is an Incident Response Team?

A computer security incident response team (CSIRT) is a working group of IT professionals that manages key responsibilities connected to the incident response process. CSIRT teams are multi-disciplinary and cross-functional - they contain members from different areas of IT and the business who provide different perspectives and complementary skill sets. The most important responsibilities of CSIRT teams include:

  • Establishing, maintaining and continually improving a documented Incident Response Plan
  • Investigating security incidents
  • Conducting forensic analysis of past security incidents
  • Facilitating internal communications between the IT organization and users in regard to current, ongoing and resolved incidents
  • Communicating with other stakeholders about the results of incidents, liaising with threat intelligence organizations, shareholders, customers, media, government, etc.
  • Mitigating incidents and managing incident recovery
  • Reviewing results and recommending new policies, processes, technology, training or roles to improve the IT organization's security posture against future incidents

Six Phases of Incident Response Planning

Many IT organizations carry out incident response planning according to a six-phase process described by the SANS Institute, an organization that specializes in providing computer security training and certifications. The six phases can be understood as follows:

  1. Preparation - Ensuring that users, IT staff and members of the CSIRT are ready to handle any potential incidents that could arise
  2. Identification - Establishing criteria for determining whether a security event qualifies as an IT or security incident
  3. Containment - Processes for limiting the damage caused by a security incident, including quarantine of the affected systems and infrastructure components
  4. Eradication - Processes for determining the origin or root cause of the incident and removing the affected systems from the live environment
  5. Recovery - Removing the threat from affected systems and deploying those systems back into the live environment when it is verified that no threat remains
  6. Lessons Learned - Capturing data from the process to learn more about the incident and improve future response through modifications to the IRP

Incident response plans also typically contain a defined breach notification process that establishes how the CSIRT will communicate to users, customers and other stakeholders about a breach. There should also be provisions for testing the system, including running drills and simulations to ensure that members of the CSIRT can function effectively in their roles when a genuine incident occurs.

Incident Response vs Disaster Recovery


Do you know the difference between incident response and disaster recovery? Are they just different names that describe the process of recovering after a security incident or cyber attack? While there is some overlap between the two, incident response and disaster recovery processes are not quite the same thing.

When it comes to cyber security issues, there are events, incident and disasters. An event is literally anything that happened - it might be an incident or it might not. An incident means that a security threat was detected and it needs to be investigated, while a disaster means that a threat was detected and the threat damaged business continuity.

This distinction explains the difference between incident response and disaster recovery. Incident response is a coordinated plan for responding to incidents with the goal of mitigating damage and reducing costs. Disaster recovery is all about getting the business back online after an unplanned interruption caused by a security incident.

Sumo Logic Delivers Automated Incident Response Functionality

Sumo Logic is the ultimate tool for CSIRT teams, empowering security analysts and operators with log file aggregation that gives ultimate insight and transparency into network events and security incidents. In addition to customer alerts, benchmarking and an automated ticket system for capturing incident reports, Sumo Logic offers enhanced threat detection with machine learning, integrated threat intelligence and automated incident response capabilities.