Please Vote: Fourth Annual SANS IR Survey Wants You!

By on

This blog was written by Barbara Kay.

Past survey findings have helped us understand key trends such as the hurdles holding back success, the evolution of SOC maturity, the data being targeted, use of automation, and priority investments for improving results. This market is changing quickly, and surveys are an excellent way to benchmark your experience against your peers and identify opportunities. Whether you want to commiserate or collaborate, data makes the conversation more compelling.

Below are two of my favorite charts from last year’s survey, with my prognostications for this year’s survey. I’ll review my predictions after the 2017 survey is published and grade myself!

What’s causing the breaches?

  • Malware will continue to dominate given malware’s contribution to so many phases of so many forms of attack, and the ubiquity of toolkits and tool sharing as well as ransomware.
  • Access—oriented attacks (unauthorized, insider breach, privilege escalation, and data breach) should remain a top concern, and cloud services and shadow IT should continue to make these attacks both likely and challenging. Silver bullets like UBA won’t change this dynamic much.
  • Network-based attacks will continue to decline as the formal perimeter focuses on the data center rather than the entire enterprise estate.
  • I’m curious if insider breach will show an uptick rather than continued decline, as it has been trending higher in industry conversations recently.

How well are we automating our remediation?

  • Last year’s data showed a (to me) disappointing degree of manual remediation still, despite the availability of simple automation for basic remediation processes through assorted tools. But this year I think (and other surveys validate) that the industry has turned the corner and is actively pursuing “safe” automation. I certainly expect to see greater adoption of automation as we attempt to survive the expanding range and volume of incidents.
  • Automated quarantine (the top response) or taking offline are totally in scope for automation today. I’d like to see a big jump in the use of automation there. Identifying similar systems, removing malicious artifacts without rebuilding the machine, and updating policies and rules are also easily done now. Here’s hoping we see all of these make a big shift to automation.

Thanks for your help capturing the evidence of change in incident response.

Leave a Comment

Similar articles

Cryptocurrency mining is the way transactions are verified and added to the public ledger, a database of all the transactions made around a particular piece of cryptocurrency. Cryptocurrency miners compile all of these transactions into blocks and try to solve complicated mathematical problems to compete with other miners for bitcoins. To do this, miners need ...
Read Blog
The authors thank their colleagues Oliver Devane and Deepak Setty for their help with this analysis. McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies. Coin mining malware is difficult to detect. Once a machine is compromised, a malicious app runs silently in the background ...
Read Blog