Please Vote: Fourth Annual SANS IR Survey Wants You!

By on

This blog was written by Barbara Kay.

Past survey findings have helped us understand key trends such as the hurdles holding back success, the evolution of SOC maturity, the data being targeted, use of automation, and priority investments for improving results. This market is changing quickly, and surveys are an excellent way to benchmark your experience against your peers and identify opportunities. Whether you want to commiserate or collaborate, data makes the conversation more compelling.

Below are two of my favorite charts from last year’s survey, with my prognostications for this year’s survey. I’ll review my predictions after the 2017 survey is published and grade myself!

What’s causing the breaches?

  • Malware will continue to dominate given malware’s contribution to so many phases of so many forms of attack, and the ubiquity of toolkits and tool sharing as well as ransomware.
  • Access—oriented attacks (unauthorized, insider breach, privilege escalation, and data breach) should remain a top concern, and cloud services and shadow IT should continue to make these attacks both likely and challenging. Silver bullets like UBA won’t change this dynamic much.
  • Network-based attacks will continue to decline as the formal perimeter focuses on the data center rather than the entire enterprise estate.
  • I’m curious if insider breach will show an uptick rather than continued decline, as it has been trending higher in industry conversations recently.

How well are we automating our remediation?

  • Last year’s data showed a (to me) disappointing degree of manual remediation still, despite the availability of simple automation for basic remediation processes through assorted tools. But this year I think (and other surveys validate) that the industry has turned the corner and is actively pursuing “safe” automation. I certainly expect to see greater adoption of automation as we attempt to survive the expanding range and volume of incidents.
  • Automated quarantine (the top response) or taking offline are totally in scope for automation today. I’d like to see a big jump in the use of automation there. Identifying similar systems, removing malicious artifacts without rebuilding the machine, and updating policies and rules are also easily done now. Here’s hoping we see all of these make a big shift to automation.

Thanks for your help capturing the evidence of change in incident response.

Leave a Comment

Similar articles

As ransomware threats become more sophisticated, the tactics cybercriminals use to coerce payments from users become more targeted as well. And now, a stealthy strain is using deceptive techniques to mask its malicious identity. Meet CryptoMix ransomware, a strain that disguises itself as a children’s charity in order to trick users into thinking they’re making ...
Read Blog
Think about it: In the course of your everyday activities — like grocery shopping or riding public transportation — the human body comes in contact with an infinite number of germs. In much the same way, as we go about our digital routines — like shopping, browsing, or watching videos — our devices can also pick ...
Read Blog
Microsoft recently patched a critical flaw in Internet Explorer’s scripting engine that could lead to remote code execution. The vulnerability is being exploited in the wild and was originally reported by a researcher from Google’s Threat Analysis Group. Microsoft released an out-of-band patch to fix the vulnerability before the normal patch cycle. McAfee products received ...
Read Blog