On SANS Forensics Survey

SANS just released an interesting survey “The SANS Survey of Digital Forensics and Incident Response” [PDF] and it is definitely a very worthwhile read.

A few of my favorite highlights follow below:

• “We [SANS] use “forensics” in the sense of searching computer networks and systems for evidence of breach, data loss or other activities.” (to me, it indicates that looser, non-legal definition for “forensics” has entered the mainstream; SANS further defines “IR” by adding containment and eradication activities to the investigative ones above)
• Furthermore, “many respondents do not expect to have the results of these investigations challenged in external reviews such as legal or regulatory hearings”
• “majority of respondents said they conducted 1-25 investigations in the last two years” (this indicates that such investigative activities are the norm, not the anomaly some people make it sound to be)
• “57% of respondents reporting that they conduct investigations to “find and investigate incidents as they are occurring.”” (this shows significant focus on detect->respond faster, which is good news, for sure!)
• “more than half of respondents reported that they use forensic investigations to collect intelligence for ongoing and future incidents” (another great news, show that this approach is nearing wider adoption)
• “Only 29% of the respondents indicated that they have detailed policies and are ready to respond to an incident. ” (and now for some bad news – it looks like many processes are invented during the incident investigation…)
• “only 15% of respondents indicated that they investigate server infrastructure in the cloud” (not sure what to make of this – the number seems awfully high…)
• “Log collection dominates the ranking of processes and tools used for investigations” (well, it is obvious, but I just had to highlight this one)
• “Legal processes (40%), live response (36%) and monitoring for events (30%) are also identified as difficult activities in IaaS-based cloud environments.” ( … and NOTHING was readily identified as easy in cloud IR :-))
• “majority of respondents (55%) reported that most of their investigations are small, costing less than $50,000.”
• “Educating management now on the factors that affect the cost of forensic investigations will save pain later.” (… and KNOW that the investigations will happen – so deploy the monitoring and other visibility tools to make IR/forensics cheaper/faster/better – yes, all 3!)

Enjoy!

Posts related to the same research project:

• Incident Plan vs Incident Planning?
• On Importance of Incident Response
• Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
• Time-tested Incident Response Wisdom?
• Incident Response: The Death of a Straight Line
• Alert-driven vs Exploration-driven Security Analysis
• My Next Research Area: Incident Response
• All posts tagged security incident response