The company I work for has launched a new product that ingests events and alerts from other tools in an organizations security stack and allows that organization to automate real time security tips to the user who's risky action caused the event or alert via Slack or Teams. You have a way of describing things that fit in my brain:). I now understand the difference between an event and alert. Thank you so much for your videos. Now I need you to do a video on detection rules, to bring it all together for me :).
Thanks for your comment, David! The SANS has more steps than the NIST, and they basically say the same thing. I was wanted to elaborate on the cycle with more steps to create addutional explanation. They both have different value depending on the organization. NIST is for government use, and there could be a full containment, eradication, and recovery team. Another organization may have to outsource their recovery, so it fits better in its own step all together.
SANS has 6 stages NIST has 4 Stages, they both are the same. Why not just make 1 the standard in the overall cyber security industry. Everyone should all go by NIST (government). It's not really necessary trying to understand one thing in two different ways you know. Why not just call stage 2 identification instead of calling it "detection and analysis". Are we more worried about the impact of the incident or differentiating terminologies when its all the same thing.
Thanks for the input! I agree that it's silly that they essentially say the same thing, yet they are both treated as different standards. In fact, there's even ISO and ISACA to add to the list. It would have been easier to choose one, but I just wanted viewers to know the difference, as this may come up on a certification exam or asked in an interview. I tried to make the focus on the content of the steps vs the fact that they are arranged differently. As for what standard we should use, it really comes down to what an organization chooses. You may have a specific team to contain the incident and another that's primary function is to recover from it, so SANS might fit better in the IR plan layout when identifying who is in charge of what.
Thanks for your comment, Munish. I will try and slow down for the next video. In the meantime, you can slow the video down to .75x speed in the video settings. Hope this helps!