SANS just released an interesting survey “The SANS Survey of Digital Forensics and Incident Response” [PDF] and it is definitely a very worthwhile read.
A few of my favorite highlights follow below:
- “We [SANS] use “forensics” in the sense of searching computer networks and systems for evidence of breach, data loss or other activities.” (to me, it indicates that looser, non-legal definition for “forensics” has entered the mainstream; SANS further defines “IR” by adding containment and eradication activities to the investigative ones above)
- Furthermore, “many respondents do not expect to have the results of these investigations challenged in external reviews such as legal or regulatory hearings”
- “majority of respondents said they conducted 1-25 investigations in the last two years” (this indicates that such investigative activities are the norm, not the anomaly some people make it sound to be)
- “57% of respondents reporting that they conduct investigations to “find and investigate incidents as they are occurring.”” (this shows significant focus on detect->respond faster, which is good news, for sure!)
- “more than half of respondents reported that they use forensic investigations to collect intelligence for ongoing and future incidents” (another great news, show that this approach is nearing wider adoption)
- “Only 29% of the respondents indicated that they have detailed policies and are ready to respond to an incident. ” (and now for some bad news – it looks like many processes are invented during the incident investigation…)
- “only 15% of respondents indicated that they investigate server infrastructure in the cloud” (not sure what to make of this – the number seems awfully high…)
- “Log collection dominates the ranking of processes and tools used for investigations” (well, it is obvious, but I just had to highlight this one)
- “Legal processes (40%), live response (36%) and monitoring for events (30%) are also identified as difficult activities in IaaS-based cloud environments.” ( … and NOTHING was readily identified as easy in cloud IR :-))
- “majority of respondents (55%) reported that most of their investigations are small, costing less than $50,000.”
- “Educating management now on the factors that affect the cost of forensic investigations will save pain later.” (… and KNOW that the investigations will happen – so deploy the monitoring and other visibility tools to make IR/forensics cheaper/faster/better – yes, all 3!)
Posts related to the same research project:
- Incident Plan vs Incident Planning?
- On Importance of Incident Response
- Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
- Time-tested Incident Response Wisdom?
- Incident Response: The Death of a Straight Line
- Alert-driven vs Exploration-driven Security Analysis
- My Next Research Area: Incident Response
- All posts tagged security incident response