How to define a security incident

Events or incidents?

Events, as it turns out, is a rather important word when it comes to understanding incidents. The US standards authority NIST defines a security incident as being "a computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices."

But this, as Mike Small, analyst at Kuppinger Cole and ISACA security advisory group (SAG) member told me, is very different from an event.

"An event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt," Small says.

There are also those 'adverse events' or those with negative consequences, such as system crashes, packet floods, unauthorised use of system privileges, unauthorised access to sensitive data, and execution of malware that destroys data. It's important to understand these differences in order to be able to determine what an incident is, and how to respond to it.

"Events trigger non-stop and often flood our event collectors (SIEMs) with sometimes millions of events per day," explains Ashley Stephenson, CEO of Corero Network Security. The challenge therefore, according to Stephenson, is to find the actual security incident among those events. "A security incident can therefore be defined as a collection of security events that equates to an actual security breach,'" he says.

If only it were that easy though, and often differentiating between an incident and something that had an impact is very subjective. "At Tenable, we get scanned everyday by botnets, internet scanners, malware and so on," says Ron Gula, Tenable Network Security CEO. "You need to be an expert to really determine if you are the next person on someone's list or you are indeed being targeted."

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.