SANS 2019 Incident Response Survey Report
Information security rarely has a dull day. The past year delivered significant data breaches, impacting industries ranging from hospitality to legal to social media. We’ve seen a continuation of financially motivated threats, such as business compromise (BEC), which continue to pillage and drain corporate bank accounts. Ransomware has brought multiple cities to their knees, earning threat actors significant funds in the process. Coupled with the ever-looming threat that a nation-state-sponsored threat actor might pull an organization into its crosshairs, there’s little reason to cease vigilance in enterprise networks.
Vigilance requires the ability to be nimble and flexible, especially given the array of options available to threat actors these days. In the surveys past, we commended our respondents on improving response times, increasing the use of threat intelligence, and upping the amount of automation and integration within their networks. However, the work is never done; we must constantly be improving. The aforementioned threats aren’t necessarily new, but perhaps more refined. For example, some threat actors have moved from noisy, custom malware to “living off the land” with built-in Microsoft Windows capabilities. And in that spirit, we identify the theme for this year’s survey: It’s time for a change.
This year’s survey shows crucial improvement in incident response (IR). We love some of this year’s increases:
- Containment and remediation—two of the most important phases of incident response—saw shorter times.
- Incidents were detected internally at a much higher ratio
- False positives declined, which we hope means organizations have gotten better at classifying their incidents.