Race to Detection: SANS Institute Releases Results of New Survey of Rapidly Changing Incident Response Practices

Bethesda, Md. – Race to Detection: SANS Institute Releases Results of New Survey of Rapidly Changing Incident Response Practices IR experts say endpoint visibility, interoperability with other products and ease of use critical to future successful IR practice

Attackers are getting smarter, yet a majority of Incident Response (IR) professionals believe current IR processes, tools and technologies are insufficient, according to results of a new survey to be released by SANS Institute on Wednesday, August 12, 2015. Eighty-four percent of the incident response personnel surveyed said more IR technologies and services - both in-house and outsourced - will be needed in the future.

SANS interviewed and surveyed professional incident responders at leading incident response firms over a 30-day period in May 2015. Key findings highlight the rapid evolution of the incident response field, the shifting dynamics of this "tempered by fire" professional community, and the evolving IR processes, technologies and service trends required to detect and remediate critical incidents that can incur significant financial, reputational and legal costs.

Key findings include:

  • Open APIs, the ability to integrate with other vendors, the ability to host remediation, and being lightweight are paramount technology features influencing leading IR firms and practitioners future technology purchasing decisions.
  • The biggest gap in current IR technologies is a lack of compatibility with other products, too many false positive alerts, and a lack of baseline creation functionality.
  • The greatest challenges faced by IR firms in a typical IR engagement are lack of knowledge of client network environment and customer system endpoint inventory/asset management.
  • The most common trigger for IR service requests are condition-triggered alerts from security information and event management technology followed by third-party notification and anomalous network traffic, with antivirus scans reported to be one of the least effective detection triggers of advanced attacks.
  • Interviewees were not convinced that one-size-fits-all integrated security software systems are the right choice for every environment. Some prefer to pick best-of-breed tools in each category instead of choosing a multipurpose tool that provides many IR functions but may not be able to provide the level of visibility required for proper intrusion analysis.
  • "Embattled incident response teams face a rapidly evolving threat landscape," said SANS analyst and incident response expert Alissa Torres. "Highly sought-after IR firms are offering more proactive services to address breach concerns, not simply traditional post-intrusion forensic services. That's demonstrated by survey respondents saying that trending services include security architecture assistance consulting, security operations center assistance, penetration testing, pre-breach training and preparation, and pre-breach testing."

    Full results of the combination of interviews and survey responses will be shared during a Wednesday, August 12, 2015, webcast at 1 PM EDT, sponsored by Bit9 + Carbon Black, and hosted by SANS. Register to attend the webcast at www.sans.org/u/7cE

    Those who register for the webcast will also receive access to the associated paper developed by SANS analyst and incident response expert, Alissa Torres.

    Tweet this:

    Too few staff, lack of interoperable tools, lack of ease of use hinder IR. More @SANSInstitute IR practice survey webcast Aug 12, www.sans.org/u/7d8

    SANS Media Contact

    About SANS Institute

    The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (https://www.sans.org)