Security Events, Incidents, and Breaches Explained

August 20, 2014

In today's Whiteboard Wednesday, Chris Kirsch, Principal Product Marketing Manager at Rapid7 for InsightIDR (formerly UserInsight) will discuss the difference between security events, incidents, and breaches.

Video Transcript

Hello and welcome to this Whiteboard Wednesday. My name is Chris Kirsch, I am the Principal Product Marketing Manager here at Rapid7 for UserInsight and today I'd like to talk about the differences between events, incidents, and breaches. Because those three terms are very closely related, there's often a lot of confusion in the market. Especially in marketing, folks like me like to overuse breaches a lot so we thought we'd point out the difference a little bit.

Show more Show less

So, first of all, let's start out with an event. Event is something fairly regular that happens on your network every day. For example, you start a particular service on a machine. That is an event that's logged and that's reported. A user logs onto a system, standard event. Nothing wrong with that, but it's something you usually find in logs.

Then there are things like adverse events, things that happen on the network, but that are not really good. So, for example, a system crash. You don't want to have that happen on your network, but it does happen and it does get logged. Then also things like unauthorized access to information also gets logged.

Now, what's the difference between adverse event and an incident? An incident is when that adverse event actually violates your policy, typically your internal policy, like an acceptable use policy or a security policy, or it violates your standard security practices. Now the difference between an incident and a breach is that in a breach, typically you have loss of some kind of important information. Personally identifiable information, protective health information, credit card data and so on.

Typically, when you lose this kind of data and disclose it to a third party, then that violates some kind of third-party regulation or even a certain, for example, breach notification law. So often the confusion is between the incident and the breach. So, here, an incident would be something that you investigate internally. It's probably reasonably high volume. You have a couple… a month and so on that you're investigating to figure out was there something associated with that? Is there more to it than just an unauthorized access? And breaches are, hopefully, very rare. So this is when you actually have to publicly disclose, in a lot of times, where you might face fines and so on.

All right, and a lot of people pay very close attention to whether breach is spelled with a capital or a lower-case b. Lower case B means you've disclosed some information that you shouldn't have. Capital B means you have violated some kind of external third-party policy, regulation, or law.

All right, that's it for this topic. If you have any requests for us to cover in our Whiteboard Wednesdays, please send us a tweet, @rapid7 and use the hashtag WBW for Whiteboard Wednesday, and we'll try to get to your topic very soon. Thank you and see you next week.

See InsightIDR in Action

Ride along with Rapid7 as we detect attacks, find intruders, and investigate alerts in a guided demo.

Request Demo