Blog post

On SANS Forensics Survey

By Anton Chuvakin | July 24, 2013 | 0 Comments

securityincident response

SANS just released an interesting survey “The SANS Survey of Digital Forensics and Incident Response” [PDF] and it is definitely a very worthwhile read.

A few of my favorite highlights follow below:

  • “We [SANS] use “forensics” in the sense of searching computer networks and systems for evidence of breach, data loss or other activities.” (to me, it indicates that looser, non-legal definition for “forensics” has entered the mainstream; SANS further defines “IR” by adding containment and eradication activities to the investigative ones above)
  • Furthermore, “many respondents do not expect to have the results of these investigations challenged in external reviews such as legal or regulatory hearings”
  • “majority of respondents said they conducted 1-25 investigations in the last two years” (this indicates that such investigative activities are the norm, not the anomaly some people make it sound to be)
  • “57% of respondents reporting that they conduct investigations to “find and investigate incidents as they are occurring.”” (this shows significant focus on detect->respond faster, which is good news, for sure!)
  • “more than half of respondents reported that they use forensic investigations to collect intelligence for ongoing and future incidents” (another great news, show that this approach is nearing wider adoption)
  • Only 29% of the respondents indicated that they have detailed policies and are ready to respond to an incident. ” (and now for some bad news – it looks like many processes are invented during the incident investigation…)
  • “only 15% of respondents indicated that they investigate server infrastructure in the cloud” (not sure what to make of this – the number seems awfully high…)
  • Log collection dominates the ranking of processes and tools used for investigations” (well, it is obvious, but I just had to highlight this one)
  • “Legal processes (40%), live response (36%) and monitoring for events (30%) are also identified as difficult activities in IaaS-based cloud environments.” ( … and NOTHING was readily identified as easy in cloud IR :-))
  • “majority of respondents (55%) reported that most of their investigations are small, costing less than $50,000.”
  • “Educating management now on the factors that affect the cost of forensic investigations will save pain later.” (… and KNOW that the investigations will happen – so deploy the monitoring and other visibility tools to make IR/forensics cheaper/faster/better – yes, all 3!)


Posts related to the same research project:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed