Share your perspective and help benchmark the industry. [And SANS will enter you to win a $400 Amazon gift card!] This is the 4th year that McAfee has co-sponsored the SANS Incident Response survey. We would appreciate your help capturing this year’s insights by completing this survey: https://www.surveymonkey.com/r/2017SANSIRSurvey
Past survey findings have helped us understand key trends such as the hurdles holding back success, the evolution of SOC maturity, the data being targeted, use of automation, and priority investments for improving results. This market is changing quickly, and surveys are an excellent way to benchmark your experience against your peers and identify opportunities. Whether you want to commiserate or collaborate, data makes the conversation more compelling.
Below are two of my favorite charts from last year’s survey, with my prognostications for this year’s survey. I’ll review my predictions after the 2017 survey is published and grade myself!
What’s causing the breaches?
- Malware will continue to dominate given malware’s contribution to so many phases of so many forms of attack, and the ubiquity of toolkits and tool sharing as well as ransomware.
- Access—oriented attacks (unauthorized, insider breach, privilege escalation, and data breach) should remain a top concern, and cloud services and shadow IT should continue to make these attacks both likely and challenging. Silver bullets like UBA won’t change this dynamic much.
- Network-based attacks will continue to decline as the formal perimeter focuses on the data center rather than the entire enterprise estate.
- I’m curious if insider breach will show an uptick rather than continued decline, as it has been trending higher in industry conversations recently.
How well are we automating our remediation?
- Last year’s data showed a (to me) disappointing degree of manual remediation still, despite the availability of simple automation for basic remediation processes through assorted tools. But this year I think (and other surveys validate) that the industry has turned the corner and is actively pursuing “safe” automation. I certainly expect to see greater adoption of automation as we attempt to survive the expanding range and volume of incidents.
- Automated quarantine (the top response) or taking offline are totally in scope for automation today. I’d like to see a big jump in the use of automation there. Identifying similar systems, removing malicious artifacts without rebuilding the machine, and updating policies and rules are also easily done now. Here’s hoping we see all of these make a big shift to automation.
These two data sets are from 2016. As reference, here are all of the previous surveys:
Thanks for your help capturing the evidence of change in incident response.