IR Teams Are Ramping Up Remediation: Results of a SANS Survey

Bethesda, Md. – A new SANS survey being released in a two-part webcast on October 31 and November 1 finds that incident response (IR) teams have reduced the time it takes to stanch serious data breaches in 2018. But IR teams haven't managed to improve on a major hurdle that they reported in last year's edition of the survey: visibility into incidents. According to SANS author Matt Bromiley, poor visibility wasn't the only obstacle that incident responders had to surmount during the past year. "We saw the enforcement of privacy rules and regulations, such as General Data Protection Regulation (GDPR), and increased PCI security requirements," he says. That's why the 2018 SANS Incident Response Survey focuses on the theme of "drowning out the 'noise' and seeking to focus on the sounds that matter," Bromiley explains.

This year's survey found gaps in response capabilities, including missed incidents and lack of visibility into incidents or data breaches. In fact, 32% of respondents were unsure of how many incidents they didn't respond to. Further, 44% were attacked by the same threat actor more than once. "If your attacker is making money off of your environment or didn't get what they came for, they will be back," Bromiley warns. "IR teams must make sure they are containing and remediating fully."

Other woes from 2017 persist as well, including shortage of staff and a want for more training and tools. More than half of survey respondents (52%) identified a shortage of staffing and skills as a key hurdle. Just behind that was a lack of budget for tools and technology (48%) followed by poorly defined processes and owners (44%).

There's still work to do, to be sure, but there's good news as well. As Bromiley says, "Despite these hurdles, some orgs are still showing great signs of improvement in their responsiveness." Full survey results, along with actionable takeaways for organizations managing their own IR teams or looking to implement a new team, will be shared during a two-part webcast sponsored by Coalfire Systems, Fidelis Cybersecurity, ForeScout Technologies, 1E, Open Text Inc., ThreatQuotient and hosted by SANS.

Register to attend the October 31 webcast at 1 p.m. EDT at to learn about staffing, resources and automation and the November 1 webcast at 1 p.m. EDT at to explore benchmarking, analytics and threat hunting. Those who register will also receive access to the published results paper developed by Matt Bromiley.

Tweet This:

SANS Incident Response Survey | IR teams are now catching attackers within hours | Oct. 31 |

SANS Incident Response Survey | IR teams continue to be stymied by poor visibility | Nov. 1 |

Incident response (IR) teams are catching attackers faster—yet proper visibility remains elusive | Part 1, 10/31, | Part 2, 11/1,

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (