Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

The Three Ds of Incident Response

As security organizations seek better ways to respond more quickly to insider threat security incidents, they can gain a lot of speed and effectiveness by taking a fundamental three-pronged approach. I like to call this approach the three Ds of incident response: deter, detect and detail. Each of these steps feed into each other in a cyclical manner.

As security organizations seek better ways to respond more quickly to insider threat security incidents, they can gain a lot of speed and effectiveness by taking a fundamental three-pronged approach. I like to call this approach the three Ds of incident response: deter, detect and detail. Each of these steps feed into each other in a cyclical manner. The idea is to first deter potential threats, then detect any incidents that proceed with as near real-time alerting as possible, then have the detail to see exactly what happened.

Let’s take a look at how the three Ds work together.


Implementing an employee monitoring program and putting the three Ds process into place can act as a strong means of deterring inappropriate behavior or malicious intent by insiders. If they know their activity is being watched—something akin to discouraging crime in a parking garage by putting cameras in place – then employees are much more likely to be on their best behavior in all facets of their worksite activity.

Tell your employees that you have methods to monitor activity on company-owned devices and networks. Then follow that up with efforts that nip problems in the bud to demonstrate that security incidents won’t go ignored in your organization.

There’s no need to tell them what the methods are, as you don’t want to encourage them to investigate and seek ways to skirt around those methods. But when they see that bad behaviors lead to repercussions, that understanding will do a lot in terms of deterring future bad behavior across the board.


The majority of incidences of fraud, IP theft, data leaks, privileged user risk, noncompliance, or other forms of inappropriate behavior are typically not found by the internal security systems at organizations. In most cases they’re actually discovered by third parties, often long after the incident has done its damage. According to the 2013 Verizon Data Breach Investigation Report (DBIR), 69 percent of breaches today are discovered by external parties, whether it be law enforcement, partners or customers who have to tell affected organizations what’s going on in their own environments. What’s more, 66 percent of incidents took months or more to discover, the DBIR reported.

These stats are a symptom of a major failing within many organization’s current security practices. Security organizations today are not aware of what’s happening within their own infrastructure because they don’t have the processes or technology in place to alert them to problems.

Organizations need to set themselves up for success in incident response by taking the fundamental first step of putting more effective detection mechanisms in place to alert themselves of potential breaches first. In this day of sophisticated insider threats, detection has grown to be an extremely important facet of security and most security pundits will tell you there’s a major shift in priorities away from prevention-centered response to detection-centered response. That’s because organizations can’t prevent every employee incident, but they can get better at responding quickly when incidents do occur.


Simply detecting security events isn’t enough, though. Once organizations detect incidents, they must also be able to quickly understand how an incident is unfolding in order to properly respond to it. Without an automated tool that provides detailed reporting on how users are interacting with systems both in the past and present, this can be very difficult to do.

Unfortunately, many IT organizations today lack the tools to dig further into employee incident data. Some frequently don’t log emails, while some do but simply don’t have the tools to know what to look for and how to find that needle in a haystack. They don’t understand how insiders are interacting with each other, with the outside and, most importantly, with organizational data. And they don’t have the means to go back and view chat conversations or whom users sent emails to through corporate and webmail systems.

There are simply too many missing tools in the standard security measures of a normal IT department. Sure, they may have an exchange server somewhere that they can examine after the fact, but do they have a way to track whether someone logged into a Gmail account and started copying and sending files that way? It’s difficult to get the level of detail of who did what without systems that can track that.

Organizations should seek out systems and processes that can help them understand exactly what happened, to what extent, who was involved and even why the event happened. This will go a long way to inform and reduce the response efforts required.

Deter (New & Improved)

Detection and detail can not only help with immediate response efforts, but the information gained from these stages can also help IT understand how to deter future events of the same mold. This will create a positive feedback loop that makes it possible to better improve deterrence efforts.

In short, organizations today must do whatever is necessary to protect their data. As we have found out from breaches suffered by companies such as Target, HTC and Zynga, the biggest threat may very well come from the inside. If organizations employ the 3 D’s approach of deter, detect and detail, it is very likely that insider threats can be neutralized much more effectively. As the saying goes, an ounce of prevention is worth a pound of cure. When companies decide to stop spending pounds and start allocating ounces in terms of their approach to dealing with insider threats, we will surely start to see the amount of threats, attacks, and breaches drop.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.