December 6, 2016, sans released the 4th issue (2016 annual) Security Analysis Research Report. The report surveyed 348 respondents around the world. The results show that 38% of people use security analysis to assess risk, 35% of people use security analytics to identify malicious behavior, and 31% are used to achieve compliance. This is also the three most common scenarios for security analysis. There is still little improvement in the problem of automation of security analysis, compared with the previous survey, only 4% of people think they are fully automated in security analysis, and only 22% use machine learning-related tools to participate in security analysis.
1. Scope of data collection
The first is the application log (including the audit log of the application), the second is the network FW/IDS/IPS/UTM device log, the third is the leakage/configuration verification/patch management results, the end of the endpoint protection system log, and then the host anti-malware system (AV) log, Whois,dns log, Intelligence data, packet detection data, user behavior monitoring data, identity data, database logs, sandbox logs, cloud security logs, Big Data system logs, and more.
2. Threat intelligence collection and integration
The preferred use of Siem to gather intelligence and correlate intelligence with various data. The second is to use their own development system to do.
3. Automation of the security analysis process
Think that fully automated only 3.6%, almost automatic has 53.7%, there is no automated 22.1%, there are 10.5% people do not know whether to do the automation (also basically can be regarded as no automation).
4. Have there been any data leaks?
65% said they had had a data leak in their units over the past two years that had to be disposed of. Indicates that nothing happened accounted for 17%.
5. Response Speed
Overall better than last year. 62% said the fastest could be detected within 1 days of being compromised, while only 5% of the people needed more than 10 months to find themselves compromised.
650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M02/8B/E8/wKioL1hcE_CjYbjFAADTo4DzLeo052.jpg "title=" 11.jpg "alt=" Wkiol1hce_cjybjfaadto4dzleo052.jpg "/>
6. Alarm mechanism
For the triggering source of information leakage and destruction events, the alarm of the terminal monitoring software is the most, followed by the automatic alarm of Siem, and the automatic alarm of other analysis system, and then the alarm of the border defense equipment, the alarm of the third party supplier and the customer initiated report.
7, safety analysis of the short board
The main three short boards are in turn: lack of analytical skills (i.e., people with high levels of capacity), lack of budget and resources, difficulty in behavioral modeling and detection of anomalies, lack of visibility into network traffic and logs. In short, the analysis tool again NB, no analysis personnel also free!
8, the frequency of security analysis work
In the protection, detection and response phases, security analysis takes a long time to demonstrate that security analysis occupies an important role in safe operation and maintenance.
9. The most valuable scenario for security analysis
In turn, assess risk, identify suspicious or malicious user behavior, monitor and manage compliance, detect external malicious threats, improve visibility into network and endpoint behavior, detect insider threats, and more.
10. Measurable improvements
44% of respondents said they were able to gain quantifiable improvements and enhancements through security analysis tools.
11, the satisfaction of their own safety analysis ability
16.1% of people are very satisfied with the speed of detection, 54.1% of the people are satisfied with performance, response time, query speed, 40.9% of the people to predict and stop the unknown threat expressed dissatisfaction, 45.5% of people to "know" ability is not satisfied.
12, the difference between big data security analysis and security analysis
There are 48.2% of people who think there is no essential difference, but 34% think there is a difference between the two, mainly in the analysis process and tools of differentiation. Sans that separating the two marks a deep understanding of security analysis.
13. Future investment direction in the field of security analysis
Similar to last year's research, the first was staff and training, and 49% of people were cast and trained. Next, 42% of people voted for detection and SOC upgrades, 29% for incident Response (IR) integration, and then for Siem Tools and systems, as well as big data analytics engines and tools. Interestingly, security intelligence product tools and services have been reduced from 43% last year to this year's 18%,sans estimate because organizations are now paying more attention to internal data collection than relying on third-party products and services.
650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M00/8B/EC/wKiom1hcE6WB5kn5AAD2EmnGeVk687.jpg-wh_500x0-wm_3 -wmp_4-s_2113753953.jpg "title=" 12.jpg "alt=" Wkiom1hce6wb5kn5aad2emngevk687.jpg-wh_50 "/>
Summary: More organizations and units are starting to use security analytics, and we are collecting more and more data, but the biggest problem is not being able to make good use of the data for detection and response. Although we can find unknown threats faster, we still do not have a good delineation of threat priorities, centralized remediation and reporting, and a normal behavioral model to mark exceptions. One reason for this is the long-term lack of SOC operations skills, as well as managerial and financial support.
Utilization of security analytics is slowly improving, and we've done a much better job of collecting data, but more effor T is needed to detect, respond and report results using analytics before we can say we ' re really maturing in this space.
Investigation report on the current situation of cyber threat intelligence in sans:2016
SANS:2015 Annual safety Analysis and Security Intelligence Research Report
SANS:2014 Annual safety Analysis and Security Intelligence Research Report
SANS:2013 Annual Safety Analysis Survey Report
SANS:2014 Annual Log Management survey report
SANS:2012 Annual Journal Management Survey Report
SANS:2011 Annual Journal Management Survey Report
SANS:2010 Annual Journal Management Survey Report
SANS:2016 Annual Security Analysis Research report