Highlights of the SANS 2019 Incident Response Survey Results

Back to all articles

SANS 2019 Incident Response Survey

The cybersecurity space is continuously witnessing hectic, fast paced and exciting developments, but at the same time it is also experiencing the consequences of significant cybersecurity incidents and data breaches, impacting industries ranging from hospitality to legal to social media. During the last year, financially motivated threats such as business email compromise continued to drain corporate bank accounts and ransomware havoced many cities, earning threat actors significant gains in the process. With these increasing attacks, today’s organizations need to be prepared by having the tactics, techniques and procedures in place, supported by the right tools, technologies and people, in order to efficiently and effectively detect, respond to and remediate incidents, before they turn into more serious breaches with potentially devastating consequences.

Each year the SANS Institute conducts a number of surveys, and one of importance to us is surrounding incident response. DFLabs is delighted to sponsor the SANS 2019 Incident Response Survey. In this blog post we will briefing discuss what the survey entails, why it is important, and more importantly the highlights from this year’s results. A full copy of the report is now available to download here.

What’s Is the Incident Response Survey About?

The SANS IR survey is designed to provide insight into the integration of IR capabilities within organizations’ security programs, highlighting current trends, as well as providing insight into weak spots and best practices for improving IR functions and capabilities moving forward. The main theme for this year’s survey is “It’s Time to Change” - a call to action for all stakeholders to review and further improve their existing IR practices. It has become a frequent habit for organizations to have doubts about whether to integrate security improvements that could hugely impact and change existing security operations and incident response processes, but reluctance to change needs to be overcome for the better good that it can achieve. This year’s survey not only notes the areas in which IR has improved, but also pinpoints those areas within the incident response process that need further improvement.

Why Is It Important?

The survey provides invaluable insights into the improvements that have taken place within the IR processes of organizations worldwide over the course of the last year. It also shows critical problems that seem to appear year on year that can’t seem to easily be overcome. Moreover, it examines the key statistics, takeaways and more. Readers and stakeholders within the industry now have the opportunity to examine whether those issues presented also apply to their organization and what can proactively be done to overcome them.

Survey Demographics

270 respondents completed this year’s survey and the response pool represented a global group of incident responders from within various organizations, sectors, and countries worldwide. These respondents came from different organization sizes, including small to medium businesses of up to 1000 employees (which accounted for 39%), to larger multinational enterprises with over 100k employees (accounting for 12%), with everything else in between. The top industry sectors included government (17%), banking and finance (15%), technology (13%), as well as managed services providers, healthcare, education, manufacturing and more. Regarding the top roles represented in this report, they varied from security administrators and analysts (representing 23%), to IR team members (15%), security managers or directors (11%), and IR team leaders (9%), plus a range of other experts.

Changes Are Happening

Before we highlight some key points from the results, it’s worth noting that this year’s survey showed some positive movement in several key areas. For starters, organizations are moving into containment and remediation faster and are getting better at detecting incidents, as opposed to waiting for third party notification.

Key Points to Highlight

The 2019 IR Survey opens with a set of metrics that focuses on how incident responders handle true positive incidents. The question that defines the success of IR or the security team is: How quickly do we detect, respond to and resolve incidents? Three key time frames were examined to determine whether IR teams were better or worse from year to year which included:

For the second time in two years, results indicated that there was an improvement in how teams responded to incidents, with the most notable improvement in detection to containment times, with a 6% improvement compared to last year. It is always nice to see progress in such a critical phase of the IR process!

We will now quickly cover the results of three notable areas.

Internal Breach Detection

For the first time this year respondents were asked about incident notification, and a whopping 64% of them answered that 51% or more of their incidents were detected internally, (instead of being identified by a third party). This change is a great start, and one hopefully we continue to see on a positive upward trend, ensuring there is no time delay between notification and action.

Incidents Converting to Breaches

Approximately 38% of incidents did not convert to a breach, which is a 7% improvement from last year. This might be due to improved detection capabilities, as opposed to a decrease in breaches or a lack of visibility. Additional 39% of respondents who had incidents convert to breaches experienced 25 or fewer breaches. Compared to last year, this is a slight uptick.

System Remediation

Compared with the 2018 survey, remediation efforts this year saw a lot of up and down movement between which tasks organizations have automated and which are still performed manually. Approximately 46% of respondents in 2018 manually blocked command-and-control (C2) IP addresses, compared with only 35% this year.


This year’s SANS Incident Response Survey gives experts and organizations unique insights on the state of affairs in the cybersecurity industry and organization’s abilities to detect, respond to and remediate threats. Not only does it discloses the development in certain areas, it also addresses the issues that need more immediate attention and resolution, while providing recommendations for further improvements. For this reason, this report (which you can download in full here) is a good starting point for all stakeholders looking to compare their organization’s efforts and effectiveness compared to the industry average, and can now embark on plans for change and improvement.

Let’s conclude this blog with the words of Matt Bromiley, the author of this SANS report: “Focus on gaps in visibility, automate manual tasks and get your various teams talking. It’s time for a change. And the time to start is now.” For more insight into the SANS 2019 IR Survey from this expert, and to hear a summary of the results first-hand, you can listen to the SANS webcast on-demand here.

Finally, achieving successful incident response will always have a number of challenges. Keep an eye out for an upcoming blog post which will go into more detail about the top five challenges of IR and how to potentially overcome them.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo