What is an incident
In the context of information security, an incident is any unforeseen or undesirable event that could disrupt normal activity or information security.
An event is the identified external signs of a particular state of a system, service, or network.
Within the framework of the Kaspersky MDR solution, the main criterion for deciding whether the observed activity is an incident is the ability to implement efficient measures to counter, prevent, or reduce possible damage resulting from this activity. See the table below for examples of possible incident criteria and responsive measures depending on the event source.
Examples of incident detection criteria and response measures
Event source |
Possible incident criteria |
Possible incident responses |
---|---|---|
Endpoint device |
|
|
Endpoint device + network |
Security event from a supported network detection technology that has been confirmed on the endpoint device |
|
Incident detection scenarios
Scenario 1. Incident detection by the Kaspersky MDR solution
In this scenario, an information security incident is detected as a result of the Kaspersky MDR operation. The incident is logged automatically in the incidents tracking system. The default incident priority level can be changed later, but it will require to specify the reason of the change according to the incident priority level table (see below). Kaspersky MDR processes the logged incidents to promptly obtain information about the status of the customer's IT infrastructure.
If root causes of the incident are identified as a result of the analysis, then response recommendations are provided to the customer. If there is not enough information to identify the root cause of the incident, all the available information and the results of analysis are provided to the customer for independent research.
Scenario 2. Incident detection by the customer (creating custom incidents is not available in some of the commercial license tiers)
In this scenario, an information security incident is detected by the customer, independently from the Kaspersky MDR operation. If the incident needs to be processed by Kaspersky MDR, the customer may log the incident manually and provide all the available information about the detected incident by using the Kaspersky MDR features. By default, the incident priority level is set to Low, unless specified otherwise by the customer while logging the incident.
Further processing of the incident is similar to Scenario 1.
Incident priority levels
Incident priority levels and their descriptions
Incident priority level |
Description |
---|---|
High |
Incidents that, in AO Kaspersky Lab expert opinion, may result in major disruptions or unauthorized access to the customer's assets monitored by Kaspersky MDR. For example, identified traces of a targeted attack or of an unknown threat, requiring further investigation by using digital forensic methods. |
Medium |
Incidents that, in AO Kaspersky Lab expert opinion, may affect the efficiency or performance of the customer's assets monitored by Kaspersky MDR, or may result in a one-time data corruption. |
Low |
Incidents that, in AO Kaspersky Lab expert opinion, do not significantly affect the efficiency or performance of the customer's assets monitored by Kaspersky MDR. For example, identified potentially unwanted software such as adware or riskware. |
The default incident priority level is Low.
Performance targets of the solution delivery
Target reaction time and value of Kaspersky MDR delivery depending on the incident priority
Incident priority level |
Reaction time* |
Target value** |
---|---|---|
High |
1 hour |
90% |
Medium |
4 hours |
90% |
Low |
24 hours |
90% |
The incident is considered as resolved if recommendations of response measures were provided to the customer.
*Reaction time is the time between incident detection (creation time) and publishing it to MDR Web Console (update time).
**Target value is the percentage of incidents where the reaction time meets the objective specified in the table.
Page top