IDC：2022年企业数字取证和事件响应（DFIR）状态报告（英文版）（26页）.pdf

《IDC：2022年企业数字取证和事件响应（DFIR）状态报告（英文版）（26页）.pdf》由会员分享，可在线阅读，更多相关《IDC：2022年企业数字取证和事件响应（DFIR）状态报告（英文版）（26页）.pdf（26页珍藏版）》请在皮匠网上搜索。

1、RESEARCH AND ANALYSIS BY:STATE OF ENTERPRISE DFIR2022 REPORTTable of ContentsAn IDC eBook, sponsored by Magnet ForensicsExecutive Summary3Survey Overview and Demographics4Hybrid Work and the Data Explosion6The Problem of Plentiful Data7Ransomware Is Keeping DFIR Teams Up at Night8Ransoms Are Paid at

2、 Least 87% of the Time10Solving Challenges with Technology11Industry Spotlights12Industry Spotlight: Financial Services12Industry Spotlight: Healthcare13Industry Spotlight: Technology14Practitioners and Decision Makers: Same Team, Different Roles15Varying Paths to the Same Destination15Two Sides of

3、the Same Coin 17Structure of Forensics Teams19Outsourcing DFIR Activities 22Conclusion24Message from the Sponsor25March 2022 | IDC#CA48870522BROIDC#CA48870522BRO | March 2022 | 3An IDC eBook, sponsored by Magnet Forensics STATE OF ENTERPRISE DFIR: 2022 ReportAnalyst: Ryan OLeary Research Manager, Pr

4、ivacy and Legal Technology, IDCExecutive SummaryDigital forensics and incident response (DFIR) teams are currently experiencing a fundamental shift. The cyberthreat landscape is evolving rapidly as bad actors discover new ways to breach security perimeters. Insider threats are also greater than ever

5、; and some modern tactics, such as zero-trust environments, simply arent designed to protect against a maliciously acting insider.Data volumes alone create a significant problem for DFIR teams. As of 2020, the world was creating 59 ZBs a year and storing 4.2 ZBs according to IDCs Global Datasphere.

6、DFIR professionals are dealing with the largest amount of data in history, data that they have to sift through to find evidence they need for their investigations.Hybrid and remote work are now the norm for the foreseeable future and the volume of audio and video files are expanding with the shift t

7、o remote meetings. All of these forces come together and create a dynamic new environment that everyone, including DFIR professionals, must adapt to. This annual report is about the current state of digital forensics and incident response for todays enterprises, corporations, and forensic service pr

8、oviders. The aim of this report is to provide market-driven and research-based insight to leaders who are making decisions for their DFIR labs so they can best prepare themselves and their teams for change.The findings presented are based on a survey conducted by Magnet Forensics in collaboration wi

9、th IDC which explore the current state of DFIR within the context of the macroeconomic forces surrounding enterprise technology. Readers should be able to evaluate their lab and technology based on the benchmarking reported by their peers to effectively plan for the future.This report highlights:How

10、 DFIR teams have been impacted by hybrid work and data volume growthThe state of DFIR within financial services, healthcare, and technology sectorsThe most concerning security threats now and in the futureThe size, organizational placement, and resource needs of DFIR teamsIDC#CA48870522BRO | March 2

11、022 | 4An IDC eBook, sponsored by Magnet Forensics STATE OF ENTERPRISE DFIR: 2022 ReportSurvey Overview and DemographicsThe web-based survey was completed by 466 respondents from September 15th, 2021 to October 15th, 2021. The survey targeted North American and Western European DFIR teams; 50% of th

12、e respondents were employed within the United States, 20% were from Canada, and the remaining 30% from the U.K., Germany, and France.The respondents were from organizations with 500 or more employees across a broad range of industries.FIGURE 1Firmographics (% of respondents)Respondent Breakdown: By

13、Country50%20%11%10%9%United StatesCanadaGermanyUnited KingdomFranceRespondent Breakdown: By Employee Size15%21%17%26%21%500 to 9991,000 to 2,4992,500 to 4,9995,000 to 9,99910,000 or moreRespondent Breakdown: By Primary Role30%7%15%38%10%Data management/AnalyticsDFIR/ForensicsGovernance/Regulation/Co

14、mpliance (GRC)IT SecurityLegalSample size (n) = 466, Source: Magnet Forensics 2022 State of Enterprise DFIRIDC#CA48870522BRO | March 2022 | 4IDC#CA48870522BRO | March 2022 | 5An IDC eBook, sponsored by Magnet Forensics STATE OF ENTERPRISE DFIR: 2022 ReportRespondent Breakdown: By IndustryFinancial s

15、ervicesHealthcareOtherServicesLegalITRetail/WholesaleGovernmentTransportationManufacturing16%8%8%7%7%5%5%16%16%12%n = 466, Source: Magnet Forensics 2022 State of Enterprise DFIRFinally, the study ensured that respondents spent at least some of their time each week engaged in digital forensics activi

16、ties and had some influence over DFIR technology purchase decisions. On average, respondents spent approximately 13 hours per week on forensics activities, and close to half of the respondents influence purchase decisions.FIGURE 2Purchase Influence (% of respondents)Final decision makerOn the team m

17、aking decisionsVery knowledgeable about management and investment decisionsSomewhat knowledgeable about management and investment decisionsTotalDecision MakerPractitioner26%49%57%35%12%13%28%34%39%4%4%1%FIGURE 3DFIR FocusAverage hours per week131018TotalDecision MakerPractitionern = 466, Source: Mag

18、net Forensics 2022 State of Enterprise DFIRIDC#CA48870522BRO | March 2022 | 6An IDC eBook, sponsored by Magnet Forensics STATE OF ENTERPRISE DFIR: 2022 ReportHybrid Work and the Data ExplosionNot only is the volume of investigations increasing but their complexity and diversity is increasing. While

19、remote and hybrid work existed in a pre-pandemic world, things changed drastically in March 2020; and the seemingly overnight closure of offices and continued closure of offices worldwide has irrevocably changed the way the world works.New technologies have been adopted to enable an entirely remote

20、workforce. Information is being passed around organizations in the form of larger video files and ephemeral messaging, and on devices that may not be managed by the organization. So not only is the volume of data larger, it is also now even more inaccessible.When asked to what degree improvement was

21、 needed for certain functions within the DFIR department at their organizations, close to one third of respondents answered that major improvements or a complete overhaul were needed with regard to analysis, acquisition, and cleaning of data. FIGURE 4Improvement Areas (% of respondents)Q. To what de

22、gree can your organization improve on each of the following functions? (Major improvements or a complete overhaul needed)Analysis of digital evidenceRemote acquisition of target endpointsCleaning and organizing of informationDocumenting, summarizing, and reportingIdentification of and securing acces

23、s to data sourcesLocal acquisition of target endpoints36%32%32%31%28%28%n = 466, Source: Magnet Forensics 2022 State of Enterprise DFIRWhen broken out even further:approximately14%of respondents indicated that analysis of digital evidence needed a complete overhaul.more than10%of respondents indicat

24、ed that remote acquisition of endpoints needed a complete overhaul.These numbers may seem small, but selecting “complete overhaul” is a significant criticism of the current state of these organizations capabilities. This is understandable, given that many labs have legacy DFIR tools in place that ar

25、ent designed to meet the needs of todays challenges.IDC#CA48870522BRO | March 2022 | 7An IDC eBook, sponsored by Magnet Forensics STATE OF ENTERPRISE DFIR: 2022 ReportThe Problem of Plentiful DataDFIR teams struggle to analyze all of the data they collect. The area of analysis was identified as both

26、 a current and future area for improvement. Without a modern DFIR toolkit that leverages an artifacts-first approach and automation, it stands to reason that the more data there is, the more time is needed to thoroughly analyze it.In addition to the volume issue, there is also the diversity of data

27、that now exists. Computers are not the only sources of evidence anymore there are mobile devices, cloud-based apps and services, and the exponentially growing realm of Internet of Things (IoT) devices. When data volume and diversity are both increasing, the challenges facing DFIR teams are painstaki

28、ngly clear.As mentioned, remote work continues to challenge DFIR teams as well: 66%of respondents stated that remote acquisition needed at least some improvement.The obstacle to remote acquisition is likely a technological one, and more specifically related to the diversity of data sources. DFIR pro

29、fessionals need to be empowered with tools that make their jobs easier. Additionally, DFIR teams must be able to investigate employees and the relevant evidence and artifacts now contained remotely on employee devices, and they need to be able to collect that data covertly.This is exactly why59%of r

30、espondents indicated that remote acquisition of target endpoints will need major investments in new systems, or major investments in existing systems.FIGURE 5Investments to Shore Up DFIR Capabilities (% of respondents) Q. Over the next two years, what level of new investments do you expect your orga

31、nization will put into each of the following functions?41%25%37%25%36%22%40%22%40%21%39%22%Documenting, summarizing, and reportingAnalysis of digital evidenceCleaning and organizing of information Remote acquisition of target endpointsLocal acquisition of target endpointsIdentification of and securi

32、ng access to data sourcesMajor new investments in existing systemsMajor investments in new systemsn = 466, Source: Magnet Forensics 2022 State of DFIR StudyDFIR teams need at least some improvement within their toolset. These teams need help collecting and analyzing data, not only because of the vol

33、ume and difficulty but because of the speed required based on the current threat landscape. IDC#CA48870522BRO | March 2022 | 8An IDC eBook, sponsored by Magnet Forensics STATE OF ENTERPRISE DFIR: 2022 ReportRansomware Is Keeping DFIR Teams Up at NightAccording to IDCs 2020 Data Protection and Privac

34、y Survey, threat actors are alarmingly successful at penetrating corporate environments.Close to 25%of organizations are reporting ransomware infections weekly.As malware evolves, these individual events are being combined into single attacks: Malware first exfiltrates data and then encrypts it, all

35、owing a bad actor to command a ransom for releasing the encrypted data keys and also extort the organization to prevent the release of the data publicly.This particularly poses a challenge for DFIR Practitioners, due to the need to quickly mitigate ransomware before it can propagate and cause widesp

36、read damage. Ransomware is harder to mitigate with security technologies that require more analysis and time. Respondents to the study indicated that ransomware was indeed keeping them up at night. Overall, ransomware is the biggest challenge facing Practitioners today, and will continue to be a mai

37、n concern for the next two years. IDC#CA48870522BRO | March 2022 | 8IDC#CA48870522BRO | March 2022 | 9An IDC eBook, sponsored by Magnet Forensics STATE OF ENTERPRISE DFIR: 2022 ReportFIGURE 6Frequency of Security Threats (% of respondents)Please rank the top-most event that occurred in the past year

38、, and that you are most concerned about in the next two years.Event occurred most frequentlyEvent concerned about in the next two years40%29%Malware and ransomware infected endpoints 13%7%Lost or stolen endpoints6%9%Employee misconduct14%9%Loss of more than 1,000 records containing personally identi

39、fiable information (PII)10%4%Internal fraud10%9%Business email compromise7%9%Loss of significant intellectual property8%3%Misuse of assets or policy violations9%4%eDiscoveryn = 466, Source: Magnet Forensics 2022 State of Enterprise DFIRIDC#CA48870522BRO | March 2022 | 10An IDC eBook, sponsored by Ma

40、gnet Forensics STATE OF ENTERPRISE DFIR: 2022 ReportRansoms Are Paid at Least 87% of the TimeThe cost of ransomware to an organization can be staggering and, unfortunately, in some cases can cause financial ruin. It is essential for organizations to invest in their DFIR teams and enable them with th

41、e tools needed to protect the reputation and data of their organizations. If DFIR teams dont receive the investment they desperately need, then organizations face incredible risks. Without the proper tools, people, and processes in place, its often “easier” to pay a ransom and resume operations.FIGU

42、RE 7Ransomware Payouts (in US$) (% of respondents)Q. If your organization paid a ransom in the past 12 months to regain access to systems or data, how much was paid?Experienced attacks/breaches that blocked access but did not pay the ransom13%Paid less than $10,00010%Paid $10,000 to $25,00010%Paid $

43、25,001 to $50,00014%Paid $50,001 to $100,00011%Paid $100,001 to $500,00017%Paid $500,001 to $1,000,0008%Paid more than $1,000,0005%Dont know/prefer not to answer12%n = 292, Source: IDC Future Enterprise Resilience & Spending Survey Wave 6, July 2021IDC#CA48870522BRO | March 2022 | 11An IDC eBook, sp

44、onsored by Magnet Forensics STATE OF ENTERPRISE DFIR: 2022 ReportSolving Challenges with TechnologyLike many professions, there is a skills shortage in the area of DFIR, so it may not be possible to solve problems by adding head count. Technology is going to be the answer for most enterprises when t

45、rying to solve the challenges posed by hybrid work environments and data explosion.Choosing the right product to fit into your existing technology stack or, in some cases, replace it, given that a “complete overhaul” of some areas is needed is an important decision that involves many variables, not

46、least of which is the feature set and benefits offered. Survey respondents were asked to rank the most important features to have in a primary digital forensics tool.The three most important features of primary forensics tool were:Collects from many data sourcesAnalyzes all of the evidence in one ca

47、se filePerforms the majority of the workflow with one toolThe responses indicate the desire to have an all-in-one tool to manage DFIR tasks. Although streamlining tools through interoperability is top of mind for many DFIR leaders, respondents interestingly did not emphasize interoperability with ot

48、her tools. While DFIR labs should always employ a toolkit approach and validate their findings with more than one tool, having a primary or go-to tool for the majority of DFIR tasks can help save time and money.DFIR labs should consider investing in a comprehensive, modern “all-in-one” tool as their

49、 go-to digital forensics acquisition and analysis tool that can collect from many data sources, often globally dispersed, and synthesize that data into one case file.The need to surface evidence quickly and streamline workflows to keep up with the evolving world is at odds with a technology stack th

50、at contains a multitude of point solutions.1 in 3 Practitioners responded that it is the major priority for improvement over the next two years.Not only did our analysis reveal that the ability to collect from multiple data sources is a priority, but more than No longer can organizations deploy tool