Blog post

On SANS Forensics Survey

By Anton Chuvakin | July 24, 2013 | 0 Comments

securityincident response

SANS just released an interesting survey “The SANS Survey of Digital Forensics and Incident Response” [PDF] and it is definitely a very worthwhile read.

A few of my favorite highlights follow below:

  • “We [SANS] use “forensics” in the sense of searching computer networks and systems for evidence of breach, data loss or other activities.” (to me, it indicates that looser, non-legal definition for “forensics” has entered the mainstream; SANS further defines “IR” by adding containment and eradication activities to the investigative ones above)
  • Furthermore, “many respondents do not expect to have the results of these investigations challenged in external reviews such as legal or regulatory hearings”
  • “majority of respondents said they conducted 1-25 investigations in the last two years” (this indicates that such investigative activities are the norm, not the anomaly some people make it sound to be)
  • “57% of respondents reporting that they conduct investigations to “find and investigate incidents as they are occurring.”” (this shows significant focus on detect->respond faster, which is good news, for sure!)
  • “more than half of respondents reported that they use forensic investigations to collect intelligence for ongoing and future incidents” (another great news, show that this approach is nearing wider adoption)
  • Only 29% of the respondents indicated that they have detailed policies and are ready to respond to an incident. ” (and now for some bad news – it looks like many processes are invented during the incident investigation…)
  • “only 15% of respondents indicated that they investigate server infrastructure in the cloud” (not sure what to make of this – the number seems awfully high…)
  • Log collection dominates the ranking of processes and tools used for investigations” (well, it is obvious, but I just had to highlight this one)
  • “Legal processes (40%), live response (36%) and monitoring for events (30%) are also identified as difficult activities in IaaS-based cloud environments.” ( … and NOTHING was readily identified as easy in cloud IR :-))
  • “majority of respondents (55%) reported that most of their investigations are small, costing less than $50,000.”
  • “Educating management now on the factors that affect the cost of forensic investigations will save pain later.” (… and KNOW that the investigations will happen – so deploy the monitoring and other visibility tools to make IR/forensics cheaper/faster/better – yes, all 3!)


Posts related to the same research project:

Comments are closed