SANS 2019 Incident Response Survey: Successful IR Relies on Visibility

During the past year, we have witnessed significant data breaches that have impacted industries ranging from hospitality to legal to social media. We have seen a continuation of financially motivated threats, such as business email compromise (BEC), which continue to plague corporate bank accounts. Ransomware has brought multiple cities, schools and universities to their knees, earning threat actors significant funds. Coupled with the ever-looming threat that a state sponsored threat actor might pull an organization into its crosshairs, there’s little reason to cease vigilance in enterprise networks. Vigilance requires the ability to be nimble and flexible, especially given the array of options available to threat actors these days.

SANS' IR Survey Key Findings

The 2019 SANS Incident Response survey shows crucial improvement in incident response (IR). Containment and remediation—two of the most important phases of incident response—were exercised in shorter times. Incidents were detected internally at a much higher ratio. False positives also declined, which means organizations have gotten better at classifying their incidents. However, even with these improvements, problematic areas continue to exist from year to year. Many organizations still show severe gaps in visibility, a critical problem that needs to be the cornerstone of an organization’s security program. It’s tough to truly determine your security posture if you are blind to a portion of your environment. In addition, many respondents again expressed concerns about levels of staffing and skills shortages, problems that may require out-of-the-box thinking.

Analysis of the Positive IR Findings

The 2019 IR survey displayed some positive results in key areas. Organizations are moving into containment and remediation faster and are getting better at detecting incidents as opposed to waiting for third-party notifications.

Time Does Matter

The one question that defines how well an IR or security team is doing is: “How quickly are we detecting, responding to and resolving incidents?” There are three key time frames that provide insight on how long it takes organizations to take an incident from:

• Compromise to detection (aka the dwell time)
• Detection to containment
• Containment to remediation

The survey findings saw—for the second year in a row—an improvement in the way teams responded to incidents. While dwell time remained stable (still at a 53% detected within 24 hours or less), the most notable improvement is that 67% of respondents indicated that they moved from detection to containment within 24 hours—a 6% uptick from last year. It is very fortunate to see an upward movement in how organizations are containing after detection, as this is a critical phase of the IR life cycle. Regarding remediation, the findings indicate that respondents are taking longer to remediate than the previous year. However, this decline is not necessarily a bad sign. Eighty-nine percent of remediation efforts are occurring within 30 days. Although this time span may seem long, a month to remediate may actually be quick depending on the nature of the incident and data to be replaced. Remediation can be a complex problem to solve, and it is better to take the time to perform the right remediation rather than the fastest.

Rely on Your Own Forces

While on the topic of detection, relying on a third-party for incident notification most likely means that an organization either has visibility gaps or is unable to properly detect an incident. These situations are not ideal and give threat actors an advantage in the form of time. Luckily, 64% of the survey respondents answered that 51% or more of their incidents were detected internally, as opposed to being identified by a third party. The importance of this metric speaks to an organization’s capability to track its IR activity and performance. Furthermore, the fewer incident-to-breach conversions an organization has, the more time the security team has to focus on proactive or detection measures.

Areas for Further Improvement: Analysis of the Problematic Areas

The SANS 2019 Incident Response survey has identified a few notable areas where organizations can begin to make some improvements.

Visibility Based on Multiple Datasets

According to the report, organizations have demonstrated a clear preference for using and obtaining security appliance and host-based data to support investigations of security incidents and potential breaches. SIEM solutions enable security teams to easily acquire most data, including short-term historical event logs, related alerts from security devices and active data on a victim system. On the other hand, respondents had the most trouble collecting network artifacts because network-based artifacts are sometimes more difficult to collect due to the sheer number of collectors needed and storage limitations. As a result, security appliances such as an IDS, IPS, firewall, log analytics or a SIEM are the most integrated solutions, with more than 60% of respondents saying that these are used to identify impacted systems. An organization’s reliance on one or two sources of data for incident detection and response is not necessarily a sign of right or wrong. Typically, IR teams look for any and all data that can be used to fill a visibility gap, ranging from arbitrary system logs to network traffic when it’s available. However, it would be beneficial for organizations to integrate informative detection capabilities such as file integrity or behavioral monitoring, both having low levels of integration as reported by only 16% of respondents. Furthermore, organizations relying on data from an appliance or tool should be able to take advantage of various automation and integration features. Automation serves as a significant benefit for IR because it provides a mechanism via which organizations can further integrate additional tooling and automate procedures.

Learn from the Past to Protect Your Future Using Your IR Capabilities

If you want to find efficiencies within your environment, track and use IR metrics. Metrics can be helpful in identifying low- or high-performing teams, inefficient processes or things that “work really well” within the organization. In the 2019 survey, approximately 26% of respondents indicated that they are not assessing the effectiveness or maturity of their IR processes, compared to almost 72% of respondents who do have some metric—whether it’s an internal measurement or a comparison against public metrics, such as NIST. It makes sense that those teams that track and evaluate their performance and plans—and then cycle the lessons they learned back into the team—will be more effective over time. By doing their homework, organizations can learn the tactics and techniques used by threat actors in the past and ensure that the same TTPs will not be used again. Knowledge can be used to improve an organization’s security posture.

Conclusion

As the SANS IR report title says, “It is time for a change.” Threat actors are improving and becoming more sophisticated. Organizations should not hide themselves behind well-known problems, such as lack of staffing, and postpone or even cancel security improvements that could have drastically improved their capability to detect and respond to security incidents. A lack of executive buy-in will leave the IR teams alone to hold the responsibility of protection. However, this lack of action can lead to enterprise atrophy as blame—instead of responsibility—is shifted. Tripwire can help organizations meet their IR requirements and built an effective shield around their valuable property. Tripwire’s File Integrity Monitoring (FIM) solution provides proven visibility, reducing the IR cycle while automating workflows and integrating with a variety of SIEM tools. You may learn more at Tripwire's IR solution page.