Despite the toxicity that certain meetings carry, I’ve decided to try and make the most out of them. In a meeting that I attended the other day the question arose:
– What is an Incident?
So how does one define a security incident? The easy way out is “an incident is when I say it is”. Would you easily define as an incident every policy violation? Do automated ssh scans count as incidents? Or do we care for the interesting ones only?
How do you define an incident as such?