From Events to Incidents

As more data on computer forensics becomes available, many have come to realize that the resource cost involved in incident handling situations is fairly significant. In addition, staffing an incident handling team with the proper skills required to effectively carry out incident handling is quite challenge. This is even more of a challenge for many large organizations with sizeable network. As such, it is in their best interest to optimally deploy such scarce resource. As in the case of a less than optimized intrusion detection system, incident handlers are often sent on a wild goose chase when the 'incident' turned out to be an 'event'. This type of activity in itself is a risk as it consumes cycles away from the real incidents. As in the case of an intrusion detection system it would make sense to apply some form of filter to eliminate most of the false positives. For incident handling filtering for 'events' can be provided through the use of a security helpdesk or junior security staffs. However guidelines and training must be provided in order for these junior staffs to carry out the intended function. This paper is an attempt at clarifying 'events' and 'incidents' for training purposes so that effective filtering can be apply when it comes to reporting an incident.