Significant data breaches around the globe impacted a wide range of businesses over the last year, so what's the current state of incident response (IR) worldwide?
According to the SANS 2019 Incident Response Survey, IR professionals with diverse job titles at a wide range of companies worldwide saw crucial improvements in three key areas:
- Shorter times to containment and remediation with steady dwell times
- A higher ratio of internal incident detection over outside or third-party detection
- Better classification of incidents to reduce false positives
Dwell time remained flat year-over-year, but that's not necessarily bad news because a majority of IR teams (53%) detected incidents within 24 hours. The really good news was that 67% of respondents indicated they moved from detection to containment within 24 hours, a 6% improvement year-over-year.
For the first time in the survey, SANS polled incident responders to see how well their internal teams are detecting threats. Almost two-thirds (64%) said they're able to detect threats without third-party help about half the time (51%).
For threats that convert into breaches, malware infections remained the primary component at 63%, but that figure remained flat year-over-year.
When it comes to remediation, survey results were a mixed bag. Respondents indicated that they're taking longer to remediate threats—89% said remediation occurs within 30 days—but that time frame could indicate organizations are focusing on the right remediation, rather than the fastest.
The report's author, SANS Digital Forensics and Incident Response Instructor Matt Bromiley, also noted two significant issues that continue to pop up in the yearly survey: visibility and staffing.
"Many organizations are still showing severe gaps in visibility, a critical problem that needs to be front and center. It's tough to truly determine your security posture if you are blind to a portion of your environment. Many of our respondents are still expressing concerns about levels of staffing and their skills shortage, problems that may require some out-of-the-box thinking."
What can incident response leadership do to improve incident response? The report offers three major recommendations:
- Focus on gaps in visibility
- Automate manual tasks
- Improve communication between teams
To dive deeper into survey results, and to see expanded recommendations for improving incident detection, investigation, and remediation, download a complimentary copy of the SANS report.