The computing environment in which enterprise information is created, consumed, shared, and stored continues to evolve at a rapid rate, and the need to protect enterprise information has never been greater. Although the incident response (IR) process for malware is well understood, breach investigations can be unpredictable and time consuming. Frequently, organizations realize that a damaging breach has occurred only after information has been lost. The first in a series on incident response, this analyst brief discusses current IR processes as well as the differences between the indicators of compromise (IOC) for malware and for breach.