It’s Awfully Noisy Out There: Results of the 2018 SANS Incident Response Survey

white paper

Written by Matt Bromiley

It’s Awfully Noisy Out There: Results of the 2018 SANS Incident Response Survey

The past 12 months have been quite a time for those in the incident response (IR) field. We observed data breaches impacting millions of citizens from both financial and political standpoints. The current geopolitical landscape has unfortunately fostered an environment where hacking of any magnitude—including those actions that seek to undermine national elections—will suffer few, if any, tangible repercussions. Yet, we persevere and continue to defend our organizations.

External attacks were not the only hurdles that incident responders had to surmount during the past year. We saw the enforcement of privacy rules and regulations, such as the EU’s General Data Protection Regulation (GDPR), and increased PCI security requirements. Given these factors and more, for this survey we settled on a theme of drowning out the “noise” and seeking to focus on the sounds that matter.

Our key takeaways from this year’s survey include:

  • Compared with 2017, IR teams are detecting, containing and remediating incidents much faster than before. For example, 10% of our respondents can detect within an hour of breach! This is providing attackers less opportunity to cause damage and giving our teams more time to defend.
  • We’re still seeing gaps in response capabilities, whether it’s missed incidents, shortage of staff or simple lack of visibility into incidents or data breaches. Some 32% of our respondents were unsure of how many incidents they had not responded to. We cannot stress this enough: Your IR team should be recording and reporting metrics to help hone its processes.
  • Respondents indicated difficulties in confidently identifying affected data and threat actors from breaches, which may lead to ineffective remediation and eradication. For example, 26% of our participants indicated they had been breached by the same threat actor more than once, with similar tactics, techniques and procedures (TTPs). Without proper incident scoping, your remediation efforts may be for naught if the attacker can walk right back in.

We’ll look at these and many more results from this year’s survey. Whether you’re managing your own IR team or looking to implement a new team at an existing organization, we hope you’ll find our takeaways impactful and actionable.

This paper requires registration. Please fill out the form on this page and we will send it to the email address you provide.