Survey results shows IR experts desperately need endpoint visibility, open APIs for better integration, and lightweight detection and response software
WALTHAM, Mass.—August 20, 2015—Incident response professionals agree: They need better tools—endpoint visibility, open APIs for integration of endpoint and other security products, and lightweight detection and response software—if they are going to have a fighting chance of stemming the tsunami of advanced threats and targeted attacks they face daily. These are among the key finding in a new report by the SANS Institute The Race to Detection: A Look at Rapidly Changing IR Practices, sponsored by Bit9 + Carbon Black.
SANS surveyed in-house corporate IR professionals and those who work for IR services firms to measure their pain points and identify what they need to do their jobs effectively. The survey showed that:
- IR teams need better tools to do their work, including open APIs for effective integration of endpoint and other security solutions, the ability to integrate with other vendors, the ability to host remediation, and lightweight detection and response software.
- Most current IR technologies lack compatibility with other products and deliver too many false-positive alerts.
- The greatest challenges in a typical IR engagement are lack of knowledge of the organization’s network environment and system endpoint inventory/asset management.
- The most common impetus for IR service requests are condition-triggered alerts from security information and event management technology, followed by third-party notification and anomalous network traffic, with antivirus scans found to be the least effective detection triggers of advanced attacks.
- IR pros are not convinced that one-size-fits-all integrated security software systems are the right choice for every environment. Some prefer to pick best-of-breed tools in each category instead of choosing a multipurpose tool that provides many IR functions but may not be able to provide the level of visibility required for proper intrusion analysis.
“The results of the SANS survey are both scary and encouraging,” said Eric Schurr, chief marketing officer of Bit9 + Carbon Black. “Scary because it’s clear that attackers are doing whatever they can to stay one step ahead of IR teams. Encouraging because IR professionals, both in-house and at service firms, are asking for a solution that can deliver the real-time visibility and detection required to instantly identify and respond to threats, rather than operating in the traditional ‘post-mortem’ forensics approach.”
Alissa Torres, the SANS analyst and incident response expert who authored the report, said: “Embattled incident response teams face a rapidly evolving threat landscape. Highly sought-after IR firms are offering more proactive services to address breach concerns, not simply traditional post-intrusion forensic services.”
About Bit9 + Carbon Black
Bit9 + Carbon Black provides the most complete solution against advanced threats that target organizations’ endpoints and servers, making it easier to see—and immediately stop—those threats. The company enables organizations to arm their endpoints by combining continuous, real-time visibility into what’s happening on every computer; real-time signature-less threat detection; incident response that combines a recorded history with live remediation; and prevention that is proactive and customizable. More than 1,400 organizations worldwide—from Fortune 100 companies to small enterprises—use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon Black a core component of their detection and response services.
Bit9 and Carbon Black are registered trademarks of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.