Information Security Event: An identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.
Information Security Incident: A single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.
-- ISO 27001 Standard
It was Sunday of a long weekend and you were enjoying a short break from work. You were feeling good that you would also have a day off the next day. All the sudden, you received an high-priority email on your iPhone. Your IT Director forwarded you and your team a complaint from another company that they received inappropriate email, which was sourced from your public IP address. The IT Director wanted you to look into it and to get back to him.
No more time off. You VPN'ed to the corporate. You made a few phone calls and pulled in resources from different departments. Your network engineer confirmed the public IP was the NAT IP of half of the company's outbound traffic, BUT not of the email gateway! "Great", you thought, "We allowed port 25 outbound from internal? Did we turn on outbound logging on port 25?" Bingo. Your firewall engineer told you that it was logged. What else? You had the destination IP, so you asked your WAN engineer to run a NetFlow report.
Fortunately you had all the information you need to pinpoint the infected workstation. You had to beg the bad-luck field engineer to clean up the workstation in the long weekend by himself. Wait a minute. You wondered if you had enough logging information to determine how the workstation had been infected. Your brain had been spinning for the postmortem report. Now you know that enough logging may not be enough.
Do you find the story familiar? Did you experience something similar at work? How does your organization handle incidents? Did you happen to deal with the law enforcement?
And One More Thing: Bad guys know when will be the next major holiday and only the junior InfoSec personnel in the office.