Gartner Blog Network

On SANS Forensics Survey

by Anton Chuvakin  |  July 24, 2013  |  Comments Off on On SANS Forensics Survey

SANS just released an interesting survey “The SANS Survey of Digital Forensics and Incident Response” [PDF] and it is definitely a very worthwhile read.

A few of my favorite highlights follow below:

  • “We [SANS] use “forensics” in the sense of searching computer networks and systems for evidence of breach, data loss or other activities.” (to me, it indicates that looser, non-legal definition for “forensics” has entered the mainstream; SANS further defines “IR” by adding containment and eradication activities to the investigative ones above)
  • Furthermore, “many respondents do not expect to have the results of these investigations challenged in external reviews such as legal or regulatory hearings”
  • “majority of respondents said they conducted 1-25 investigations in the last two years” (this indicates that such investigative activities are the norm, not the anomaly some people make it sound to be)
  • “57% of respondents reporting that they conduct investigations to “find and investigate incidents as they are occurring.”” (this shows significant focus on detect->respond faster, which is good news, for sure!)
  • “more than half of respondents reported that they use forensic investigations to collect intelligence for ongoing and future incidents” (another great news, show that this approach is nearing wider adoption)
  • Only 29% of the respondents indicated that they have detailed policies and are ready to respond to an incident. ” (and now for some bad news – it looks like many processes are invented during the incident investigation…)
  • “only 15% of respondents indicated that they investigate server infrastructure in the cloud” (not sure what to make of this – the number seems awfully high…)
  • Log collection dominates the ranking of processes and tools used for investigations” (well, it is obvious, but I just had to highlight this one)
  • “Legal processes (40%), live response (36%) and monitoring for events (30%) are also identified as difficult activities in IaaS-based cloud environments.” ( … and NOTHING was readily identified as easy in cloud IR :-))
  • “majority of respondents (55%) reported that most of their investigations are small, costing less than $50,000.”
  • “Educating management now on the factors that affect the cost of forensic investigations will save pain later.” (… and KNOW that the investigations will happen – so deploy the monitoring and other visibility tools to make IR/forensics cheaper/faster/better – yes, all 3!)


Posts related to the same research project:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: incident-response  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.