Incident Response: What's Working and How to Be More Proactive - SANS Survey Results Released

Bethesda, Md. – Incident responders are looking for more automated processes and services to gain better visibility and to conduct faster, more accurate response and remediation, according to the 507 respondents to qualify and take the 2015 SANS Incident Response Survey to be released by SANS Institute in a series of webcasts on August 18 and August 20, 2015.

"Incentivized by the devastating data breaches suffered by U.S. companies recently, organizations are moving quickly to grow their incident response (IR) capabilities to facilitate rapid detection of attackers in their networks," says SANS analyst and incident response expert Alissa Torres.

As a result of their efforts, respondents showed slight improvements in time to remediation from 2014. Thirty-six percent of respondents reported needing 24 hours or less to remediate a breach, compared to 30% with the same swift reaction in 2014.

Respondents attribute improvements to more automated tools, although they still want more automation and integration. This indicates that incident response tools and processes are beginning to mature. Another sign of that maturation: This year's survey showed a number of new specialized job titles to support the IR function, including intelligence analyst, CERT team leader, incident/problem manager, IT security architect or engagement manager.

Responders still have a long way to go: They are short on the skills and technologies, and they need more automation and integration across systems that are no longer behind the network firewall, such as apps hosted in the cloud or on personal mobile devices.

"Despite these improvements, they face broader and more diverse attacks, including distributed denial of service, data destruction and targeted data theft," continues Torres.

Organizations can make additional improvements in their IR capabilities by implementing proactive responses, further driving the need for more automated, integrated processes to follow through on indicators of compromise (IoCs) and fully remediate systems. In the survey, four of the top 10 impediments to IR relate to automation: 45% reported lack of visibility into systems; 37% cited inability to distinguish incidents from normal behaviors; 29% reported too much time needed for remediation; and 28% reported lack of integrated, automated tools.

Full results will be shared during a two-part webcast. Part 1, Tuesday, August 18, 2015, at 1 PM EDT, will focus on the current state of IR and how the landscape has changed since 2014. Part 2, Thursday, August 20, 2015, at 1 PM EDT, will focus on how incident responders can be more proactive in their policies and practices. The series is sponsored by AlienVault, Arbor Network, Bit9 + Carbon Black, HP, Intel/McAfee Security, and Rapid7, and hosted by SANS.

Register to attend the Part 1 webcast at and the Part 2 webcast at

Those who register for the webcast will also receive access to the published results paper developed by SANS analyst and incident response expert, Alissa Torres.

Tweet This

2015 Incident Response Survey Results in 2 Webcasts: Part 1 8/18:; Part 2 8/20: #IR

HOT TOPIC WEBCASTS - Incident Response Survey Results: Part 1 8/18:; Part 2 8/20: #IR #infosec

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (