Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


sans: 2016 safety analysis research report

Posted by fleschner at 2020-03-01

On December 6, 2016, sans released the 4th (2016) safety analysis research report. The report surveyed 348 people around the world. The results show that 38% of people use security analysis to assess risk, 35% use security analysis to identify malicious behavior, and 31% use it to achieve compliance. This is also the three most commonly used scenarios for security analysis. Compared with the last survey, only 4% of people think that they are the best in safety analysis automation, and only 22% use machine learning related tools to participate in safety analysis.

1. Scope of data collection

The first is the application log (including the audit log of the application), the second is the network FW / IDS / IPS / UTM device log, the third is the missed scan / configuration check / patch management result, the fourth is the log of the endpoint protection system, and then the host anti malicious code system (AV) log, whois, DNS log, intelligence data, packet detection data, user behavior monitoring data, identity data, number Database log, Sandbox log, cloud security log, big data system log, etc.

2. Collection and integration of Threat Intelligence

Siem is preferred to collect intelligence and associate it with various data. The second is to use their own development of the system to do.

3. Automation of safety analysis process

Only 3.6% of them think that they are fully automated, 53.7% of them think that they are almost automated, 22.1% of them don't have automation at all, and 10.5% of them don't know whether they have automation (they can also be regarded as no Automation).

4. Whether there is data leakage

65% of the people said that they had data leakage events that need to be handled in their own units in the past two years. 17% said it had not happened.

5. Response speed

Overall better than last year. 62% said it could be detected as soon as within one day after being captured, while only 5% said it would take more than 10 months to find out they had been captured.

6. Alarm mechanism

According to the trigger sources of information leakage and damage events, the most common way is to alarm by terminal monitoring software, followed by automatic alarms by Siem and other analysis systems, then by border defense equipment, third-party suppliers and customers.

7. Short board of safety analysis

The main three short boards are: lack of analysis skills (that is, lack of people and high-level people), lack of budget and resources, difficulty in behavioral modeling and detection of anomalies, lack of visibility to network traffic and logs. In short, no more analytical tools, no more analysts!

8. Frequency of safety analysis

In the stage of protection, detection and response, security analysis takes a long time, which shows that security analysis plays an important role in security operation and maintenance.

9. The most valuable scenario of security analysis

The order is to assess risk, identify suspicious or malicious user behavior, compliance monitoring and management, detect external malicious threats, improve the visibility of network and endpoint behavior, detect internal threats, and so on.

10. Quantifiable improvement

44% of the respondents said that they could obtain quantifiable improvement and promotion through safety analysis tools.

11. Satisfaction with own safety analysis ability

16.1% were very satisfied with the improvement of detection speed, 54.1% with performance, response time and query speed, 40.9% with the prediction and prevention of unknown threats, and 45.5% with the ability of "knowing the other".

12. The difference between big data security analysis and security analysis

Another 48.2% thought that there was no essential difference between them, but 34% thought that there was difference between them, mainly reflected in the difference of analysis process and tools. Sans believes that distinguishing the two marks an in-depth understanding of safety analysis.

13. Future investment in security analysis

Similar to last year's survey, the first one is personnel and training, 49% of which have been invested in personnel and training. Next, 42% invested in detection and SOC upgrade; 29% invested in event response (IR) integration; and then came Siem tools and systems, as well as big data analysis engines and tools. Interestingly, tools and services of security intelligence products have decreased from 43% last year to 18% this year. Sans estimates that it is because the organization is more focused on internal data collection than on third-party products and services.

Summary: more organizations and units begin to use security analysis. We collect more and more data, which is getting better and better. But the biggest problem is that we can't make good use of these data for detection and response. Although we can find unknown threats faster, we still fail to prioritize threats, focus on repair and reporting, and establish normal behavior models to mark exceptions. One of the reasons for this is the long-term lack of SOC operation and maintenance skills, as well as management and financial support.

Utilization of security analytics is slowly improving, and we’ve done a much better job of collecting data, but more effort is needed to detect, respond and report results using analytics before we can say we’re really maturing in this space.


Sans: investigation report on the current situation of Network Threat Intelligence in 2016

Sans: 2015 security analysis and Security Intelligence Research Report

Sans: 2014 safety analysis and safety Intelligence Research Report

Sans: 2013 safety analysis survey report

Sans: 2014 log management survey report

Sans: 2012 annual log management survey report

Sans: 2011 Annual log management survey report

Sans: 2010 annual log management survey report