How Well Does Your IR Function Stack Up Against Your Peers?POSTED BY LIZ BUSH
The security community is typically pretty great about sharing information among colleagues, including tips and tricks of the trade. If you want to learn about some of the latest observations and recommendations to enhance your incident response capabilities, I encourage you to watch a new webcast on demand, “Improving the Incident Response Function, SANS 2018 Incident Response Survey.” Matt Bromiley, a SANS Digital Forensics and Incident Response instructor, shares the survey results as well as advice on how to do better with the teams and tools you already have in place. Joining Matt, our own Ryan Trost, Co-founder and CTO, provides his perspective on the findings, and offers suggestions for how to address some of the toughest challenges when it comes to investigating incidents and breaches. Full survey details are available for download in the report, It’s Awfully Noisy Out There: Results of the 2018 SANS Incident Response Survey.
We all know that incident response teams must operate in a very noisy environment, so it isn’t surprising that this year’s survey focuses on how to work our way through the noise to better defend our organizations. Matt describes the challenge as akin to being at a concert while trying to listen to music on your headphones. Only incident responders can’t leave the concert – they have to deal with an unprecedented volume and variety of malware and hacks, including old indicators that we thought we could retire but are coming back and must be monitored again.
Here are just two takeaways from the webcast that struck a chord (pardon the pun!) with me, but I’m sure you’ll find others:
Ease of visibility = ease of remediation.
While the 452 respondents to the survey believe that they are doing a pretty good job identifying the users and systems impacted by an incident or breach, finding the data and threat actor details involved is much more complex. Only 17.7 percent can consistently and accurately discover the tactics, techniques and procedures (TTPs) used. We can’t thoroughly remediate without visibility into all aspects of a breach or incident. According to Matt, this speaks to the need for better threat intelligence or indicator tracking, as well as better integration and collaboration.
How to map investigations using published adversary profiles.
Having run two large SOCs in the past, Ryan understands the challenge of identifying and tracking TTPs and monitoring the success of defensive countermeasures. In the webcast, Ryan explains how to use the MITRE ATT&CK framework together with ThreatQ for threat hunting, exploring every corner of your organization to pinpoint adversary TTPs. With the ability to find all the malicious activity within the environment, incident response teams can ensure total remediation.
The webcast also reveals the top impediments for security professionals in 2019, including a shortage of staffing and skills, lack of budget and poorly defined processes. Matt offers workarounds and advice on how to use your existing resources creatively to address many of these priorities with little cost. Watch the recording now and download the report to learn where to start to find the most success and make life easier in the coming year.