Download your free copy of ‘The State of Digital Forensics and Incident Response 2023‘ – your compass to navigate the DFIR landscape.
Gamze: Hello everyone, and thank you very much for joining. We will be waiting for three minutes so that people can join. In three minutes time we will be starting the presentation.
Hello everyone. Welcome to our live webinar. Please let us know if you are having any technical issues in voice streaming or access and we will fix it immediately. And again, thanks a lot for joining us today. I see that we have people around the world. So, good morning, good afternoon, and good evening. My name’s Gamze Karsli and here at Binalyze I’m leading the marketing activities for Meta and APAC regions.
Today with Shilpi, Jaana and Steve we will be talking about the recent report that IDC released: The State of Digital Forensics and Incident Response 2023. To start with, normally today we were targeting to have Emre Tinaztepe, our CEO, with us, but Emre is currently traveling in USA and he has some logistic problems and at the very last minute we had to change our speaker from Emre to Steve, and he sent his sincere apologies there.
So, Steve will be taking a seat and he will be talking with Shilpi and Jaana about the key findings of our report. So before going to the details of the report, I would like to introduce our speakers here. Shilpi, would you like to introduce yourself?
Shilpi: Sure, thank you Gamze. Hi everybody, I’m Shilpi Handa. I’m an associate research director with IDC. I’m responsible for the cybersecurity initiatives for the Meta region and I’m based out of the IDC’s Dubai office. Thank you. It’s a pleasure to be a part of this panel today.
Gamze: Thank you Shilpi. Jaana?
Jaana: Hi everyone, I’m Jaana Metsamaa. I’m the VP of Product here at Binalyze and we’re working on an exciting vision and strategy around our enterprise DFIR product that will allow you to take close cases…that take weeks today in mere hours. If you think it’s black magic then stay tuned, we’ll actually make it happen! So, very excited for the conversation today and happy to be here as well.
Gamze: And our very recent speaker, Steve.
Steve: Hello everyone. Yes, I’m also very pleased to be here. I’m not Emre Tenaztepe, as you can tell. My name is Steve Jackson, I’m the VP of Growth here at Binalyze. So I take care of all of the GTM stuff. Off the bench as a able substitute to looking forward to the discussion. So let’s get into it.
Gamze: Thank you. Thank you all for introducing yourselves. So, before going to the details of the report and our presentation today, I would like to talk about some of the housekeeping stuff. You can join us with your comments and your insights and your suggestions on the chat or you can ask your questions using the Q&A button here. We will answer most of the questions, if time allows us to, at the end of the webinar. And during the webinar timeframe, again, you can use the chat part of Zoom to ask your questions and your comments.
So, we have recently done this report, the State of Digital Forensics and Incident Response with IDC and it’s based on a survey done in five Middle East countries. And IDC team has created the report to discuss DFIR space, current DFIR space. So before going to the details of the report, I would like to ask Shilpi the methodology of this report, because this has been a very extensive study. We talk with all of the executives in the field and we get their insights and we put them into a report. Shilpi, can you please give us some information about our partnership, why we have done this report, and what it says?
Shilpi: Sure, sure. Thanks Gamze. I would like to start by saying that this is a very important and interesting report because it was able to uncover a lot of important findings that are very hard to ascertain otherwise, and are often overlooked in the cybersecurity operation center. Our Turkey team security market lead here, Shem, she drove this initiative actually and she did an excellent job in driving the survey, the findings and the report thereafter.
The State of Digital Forensic and Incident Response study, it was conducted in June, 2023. Like Gamze mentioned, it was for five Middle East countries. The total number of respondents from the targeted countries stood at 111, and the research was conducted among corporate DFIR experts in Middle East. So, be certain that the selection criteria was very stringent and whosoever participated in this study was at the helm of cybersecurity functions and their organizations.
Now, most respondents played a pivotal role in executing or overseeing the incident response and digital forensic tasks. So this is as close to bringing on the actual SOC challenges to the table out and open for our discussion and understanding to ascertain how long it takes and what are the challenges that SOC analysts or DFIR analysts within organizations face today. I think Gamze mentioned the primary objective of the report is to provide actionable insights and an analytical perspective for decision makers who are with us on this call today. And I’ll be happy to talk more about it as we go ahead. But for now, over to you, Gamze.
Gamze: Thanks Shilpi. We will go…jump into the details of the report, but before going there I would like to discuss the current state of cybersecurity other than DFIR. What is the situation right now and what’s the burden the companies are facing?
Shilpi: Sure. So when we did our annual security survey, and we do it at IDC at the beginning of every year, we did this in January this year at the beginning: too many alerts. And “too many alerts”, I say quote unquote. It came up as the number one cybersecurity challenge in the Meta region. It’s surpassed the human scale gap perhaps after two years. And security automation on the other hand was the number one area of investment within the cybersecurity operation centers.
Now this might appear to be different facets of cybersecurity, but if you think about it, grappling with very high number of alerts and then automation are closely linked. And this is exactly one of the key areas which this report uncovered as well. So, I would like to say this is in absolute alignment with what we see overall in the region and also in the world.
Now to give you a context, and I thought it would be better to live it and I created a sort of scenario for you to understand, or a walkthrough for you to understand, why I emphasize that incident response is essential for any organization. Imagine that you’re a CSO of a leading firm and it’s midnight and you perhaps get a call from one of your SOC analysts. They start to tell you that there is a ransomware-like threat that was alerted by the SOC service provider in your internal SOC.
Now, pay attention to the word when I say “ransomware-like”, because the L1 analyst or the L2 analyst who is that duty was just alerted, might not be very sure of what the threat is actually. Now the SOC provider wanted him to look at the endpoint of the network logs to understand the nature of threat. Now he goes on to tell you that he tried to reach out the firm security SME for forensic but couldn’t get through. The incident was triage and analysis started and now even you have a 24×7 team because that is the person who alerted you.
Even then for any advanced forensic to start at this point in time, you have to wait for your SME. So this is in case when you had a 24×7, right? If you don’t have a 24×7 capacity and any incident assessment that has to start will start probably by tomorrow morning, and it might even need an advanced forensic service and to be able to identify the stage and severity of threat that will eat up more time. So what will be your next action? Let me go through the scenario much further.
Before you think of some of the next possible actions, let us remind ourselves that attackers might still be working on the ransomware attack. As the time passes more files and data can get encrypted and more devices can get infected. This will seemingly mean more damage in terms of compromise and more effort and resources to restore. So, the clock is certainly ticking. Possibly by the next morning your security SME will investigate the incident and verify the threat and the stage of the attack.
After that, if you have available a thoroughly tested, verified incident response plan, you will put it into action over the next few days. Now I’m sure with all the scenario planning, you understand where I’m going. 46% of the respondents in this IDC study that we conducted stated that incidents took more than two days to resolve on an average. This metric known as the detection to resolution timeframe is critical in determining the extent of damage that a security incident can cause you.
Another important metric is the dwell time. That describes how long the malicious actor has been in your system working to disrupt the network, steal confidential data or propagate the malware. An important IDC stat that I would like to put here is, and I’ll repeat it two times: in 2023 IDC conducted a ransomware survey. The time to 100GB of encrypted data by a ransomware is as low as 6 minutes.
You got a call in the night, and the first possible action that you might take is the next morning and perhaps then spent 17 or 27 days as per the uncovered stats from our report doing the analysis. Once again, IDC’s 2023 ransomware survey predicted time to 100 GB of encrypted data by a ransomware is as low as 6 minutes. It’s not very difficult to decipher what could have sped up the incident response plan, but I think I just set this stage and now I would like to invite either Steve or Jaana to add some more perspective here.
Steve: Thank you, Shilpi. Yeah, that’s very interesting. So to go right back to the beginning of where you started. So, alerts being the number one thing that’s overloading the SOC is definitely a problem that we’re trying to solve here at Binalyze through automation. So that’s very interesting to hear that that aligns very well with our mission, with our product, as well. And much of what else you laid out there with that scenario is about speed. And one of the things that we’ll be talking about in the rest of this webinar is how we are seeing the need for speed specifically within the DFIR process and generally within the overall incident response time. The stat that we have on the slide here, which is interesting for me, is the 277 days, the total dwell time, which comes from IBM’s cost of data breach report from this year.
And it’s interesting in a couple of ways. The first way is that it’s huge! And that number is far too high and is creating a lot of risk in terms of financial risk, a lot of costs associated with those breaches. But the really interesting thing for me is that that number has actually been between 270 and 280 for the last 8 years. So what we’re not seeing is an improvement in that number, despite the investment of millions of dollars into cybersecurity solutions.
Why? Because, in my opinion, it’s because the focus of that investment is not on a post alert, post breach scenario. It’s on blocking and monitoring solutions. It’s trying to stop it in the first place. And that’s valid. That investment is extremely valid. We’re certainly not arguing not to do that. But what we are saying is that the data there, the fact that it is flat between 270 and 280 for the last 8 years indicates that once a breach or a malicious actor has got past those blocking and monitoring solutions, which will happen, absolutely is going to happen.
There is not much that is looking for it and there is certainly not much investment in terms of driving that number down and that does create financial data reputational risks that need to be addressed within the enterprise. And I think the second part of the slide is this idea that this might be some rare occurrence is also not correct. So the Skybox report from a couple of years ago is a good example of the kind of scale that we’re looking at. So 83% of critical infrastructure organizations were suffering breaches in one 12 month period. We think that’s basically the number.
So the overall takeaway I think is that the idea of an impenetrable fortress is kind of passed. That’s not a great strategy these days. There needs to be resilience, there needs to be investigation capability and that ideally needs to be fast, it needs to be remote, it needs to be scalable so it can address the kind of scenarios that you were highlighting there around ransomware. So I think we’re aligned. I think we’re on the same page in terms of what the threat is. Jaana, do you want to add anything before we move on?
Jaana: Well, I think both of you mentioned most of the things to really set the stage, but we were all laughing that the 277 is just terrible, right? But it’s the average, which means that there are quite a significant amount of data breaches out there, which is 300 days, 400, 600, and of course the ones that we never detect and discover. So, even though the number has been between 277 and 280 for the last years, we can’t forget the tail end, the terrible higher numbers there. And we need, as an industry, as a community, we need to find…there’s a saying if you keep doing the same thing, it’s not reasonable to expect a different result. So, we really need to start looking for different strategies to defeat the 277 number.
Steve: Yeah, I agree. Before we move on, I’d just like to make one other point which Shilpi kind of touched on, which is that while the report that we’ve put together with IDC is focused on the specific Middle East market, I know because seen the signups that the majority of people joining this webinar, the majority of people who’ve actually downloaded the report are also from a global audience. And the feedback we’ve had is pretty universal that what we found in this region is actually exactly the same as going on elsewhere. So this is a global problem and I think largely we’re all pretty much experiencing the same pain and the same problems regardless of the territory that we’re in. So I think that’s some important context. Let’s move on.
Shilpi: Absolutely agree there Steve. Yeah, let’s move on. And let me just also add to some of the challenges that are faced worldwide in the DFIR operations lack of wider correlation, definitely a constant global challenge that we see. Unavailability of real time context, lack of automation, lack of forensic experts, data scattered across multiple security platforms, very often unavailability of subject matter experts, unavailability of verified, curated, tested response plans. And all of this just leads to whatever you are seeing on screen right now, the 26.1 and the 17.1 days. So yeah…
Steve: Definitely. Good. Okay, so let’s drill specifically into the findings of the report that we’re talking about today. So I think the two key takeaways are 26.1 days is the average time to complete an investigation. So we’re drilling down into that 270, 280 dwell time number now into the specific part of it which relates to investigation and resolution, which was the focus of our report.
So 26.1 days is the average time to complete an investigation. (I know Jaana’s going to pick up on the average word again in a minute, so I’ll let her do that.) And 17.1 days the average incident resolution time. So still we’re measuring these things in days and not in hours and in actual fact, it’s weeks. So still massively contributing to the overall problem, just too slow. The investigation piece, the resolution piece. And I think the other thing I would say before I hand over to Jaana to talk about averages is what we are seeing is the percentage of complex and sophisticated attacks across the whole gamut of malicious actors is definitely increasing.
So, on average these attacks are becoming more complex, they are becoming more sophisticated, and traditionally this is where we actually see the breach and most of the damage happening. So, this is becoming a bigger problem as we go forward and the concentration of the risk, of the cost is in those more complex and more sophisticated attacks and they are becoming a bigger part of the problem.
So, I think that’s also some useful context. Those more complex and more sophisticated attacks are also requiring, again what Shilpi touched on a moment ago, which is escalation sooner in the process. So getting out of the hands of an L1, L2 analyst and into the hands of an L3, L4 analyst much more frequently and much faster in the process. That causes problems, it creates a burden on a more rare resource.
So we are seeing that we are getting that feedback a lot from our enterprise and also from our MSSP channel partners that any tools, any solutions, any platforms that can help to prevent that rapid escalation by guiding the investigation process better, will massively help, will actually…will compound the value that that brings by releasing those level 3, 4 for analysts to focus on more high value tasks.
And with that, I will pass over to Jaana to talk about averages.
Jaana: Yeah, I do love my numbers! But when I look at the report myself as well, then the numbers keep getting worse, right? And it’s a battle that I’m not sure we as an industry can really tackle completely. And if we look at those averages, then again, it depends on what the incident is about. And I think the problem really points to one word: complexity. And the complexity is increasing by the day.
So you all know these things as well, but I guess the biggest shift in the last three years was the remote working, hybrid working, right? And now when we look at those, let’s say the smaller number here, 17 days when you no longer have the people in the same office, but you need to get the endpoint to your desk, then that’s two days wasted to really look through the evidence to really start looking what’s going on.
So yet another hour or a day wasted there. Another thing is that for years we really, as an industry, we’re focused on investigating a single endpoint, a single asset, but especially in enterprises….when we speak with our customers then they kind of go into three segments: there’s law enforcement guys, then there’s enterprise, and then there’s service providers, right? And what we…by far who have the most complex cases and complex environments are the enterprises, which again increases the complexity.
So you are not no longer working only with Windows or Mac or Linux, you also have cloud assets and the poor analyst needs to be proficient in all of those. So again, complexity increases with added platforms. And the other day somebody was discussing how do I do a forensic analysis on ChatGPT conversations? And that’s yet another thing that the analysts need to start doing.
So complexity is, I think, the key thing. And then the other side is what we have been automating and optimizing so far. So everybody has the notification vendors alert, the phone rings, but even with the quite ideal case that Shilpi described in the beginning, the lead time where somebody at the good enough, high enough level and proficiency looks at the evidence is still quite long.
So, I think one of the things that we should look at is that having a SOAR, having a CM, this is table stakes nowadays. It’s now time to look at how can we optimize and get more out of the people that we have so that the highest level analysts only looks at the things that they need to look at and the lower level analysts can do more and more on themselves…by themselves more and more is done by different tools and platforms. So that again, with complexity, the amount of data that you needed to go through is so high.
So adopting intelligent analysis tools that will point you to the right direction like, “hey, start here, this is suspicious”. We’re not saying that this is the reason, but we usually don’t see that. So that’s again, that’s something that we try to do with Binalyze AIR as well, point you to the right direction because as one of the slides I think said in our industry every second and you need to optimize these things.
Steve: Okay, let’s summarize. I’m conscious of time, I want to leave as much time for questions at the end. So, let’s summarize this section as: everything takes too long! And that’s a problem. So let’s dig a little bit more into what the effects of that are by looking at today’s DFIR landscape.
So Jaana was touching on a few of these pain points right now. We’re not going to go through them one by one, that would take quite a while, but I’ll leave it on the screen for a few minutes just to let you, kind of, look at the individual ones. We’ll pick into some of them.
We’re going to drill into specifically into the shortage of…the skill shortage, which actually came out as the highest problem that was identified in the IDC report. But there’s a lot of others here which are contributing to it taking 26 days, 17 days to resolve. And I think also this is a good time just to maybe explain a little bit about what our mission is as Binalyze actually. So we have a product vision here at Binalyze and a mission to actually drive this down to Jaana, what did we say? Four hours?
Jaana: Four hours. Less than a workday. So you come roll in after lunch and by the evening the case is closed.
Steve: Yeah. So our mission here is to build a platform which enables you guys to perform the DFIR investigation work in, let’s say, a metric of hours rather than days, weeks, or (god forbid) months. So that’s what we are here for. And yeah, we do that by basically eliminating or certainly improving a lot of these pain points that we’re seeing here, like the analysis of digital evidence that Jaana was just talking about.
So tools that look inside the evidence and guide the analyst to the most likely indicators of compromise can dramatically speed up that part of the investigation process. Collecting, protecting digital evidence, super important if you want to complete a case, especially if that case is likely to go beyond the SOC in terms of outcomes. So if you’re looking to go law enforcement, or you’re looking to go to court, you need to be protecting that digital evidence.
Presenting the digital evidence is a common challenge that came up in the report. So being able to understand the evidence but then also communicate what it means to the rest of the organization is a challenge and does take a lot of time, currently with the existing processes. Lack of automation, we’ll go into automation a lot more later on in the session. Coordinating…and that I think is very much related to the interoperability with tools, other tools. So integrating and coordinating currently, what is it, 11 to 15 tools on average, Janna, we found? What was it?
Jaana: So 80% of SOC analysis use 11 plus tools daily for their security work.
Steve: Yeah, okay. So if you’re using 11 tools to get a job done, you can quickly see how it will end up taking 26 days, right? So there’s a lot of complexity there that needs just logistical complexity that needs to be overcome in order to speed this process up. So, solutions that can bring all of that together onto a single pane of glass will transform the process from days to hours and that’s going to have a material impact on the outcomes of the case.
Let’s drill into what I think was the most important one, which was 81%, so a very high number of respondents, identified skill shortage, lack of internal investigation expertise as the main challenge in managing incidents. Jaana, what was your takeaway from that number? What was your first reaction when you saw that number?
Jaana: I thought that yes, that’s the thing that we hear every day. So, today globally we’re in quite a difficult situation. In tech sector there has been quite a bit of layoffs, the investments are shrinking. But if there is one sector where people are still investing and still hiring at least the cybersecurity area. But what we know from another research, from the cybersecurity workforce study is that although there’s 4.7 million cybersecurity specialists out there then…and we added like 460,000 last year, then we’re still missing another 3.4 million people to cover what we have going on right now.
So we’re not going…the talent gap will remain there and hiring more, investing more to people is just not the viable solution. It will remain like that and we need to really focus on how to get more out of the people that you have. So everything that can be automated and optimized and to reduce stress of the experts needs to be done.
And yeah, I mentioned earlier that what I see is collecting evidence from diverse collection of platforms, even though it requires analysts to use a lot of…multitude of tools, it’s kind of solved. You have something for everything. But what we see at Binalyze next frontier is optimizing the things that really isn’t automateable just yet. Although I’m sure many of you have tried to ChatGPT or reports as well.
So what was one of the most surprising things to me to learn last year when I had a lot of conversations with SOC analysts was that actually figuring out what happened, having evidence, investigating the evidence is not the hard and time consuming part. The time consuming part is as with any other field is the communication, putting together the report that explains at different levels what happened, what should we do next? How do we avoid these things? And that’s actually, it’s a very conveyor belt process right now. It’s like collecting evidence, moving on, going through the evidence, writing the report.
So you’re kind of doing the same thing three times over. And I believe what we need to do is if you look at evidence once, then you shouldn’t look at it again if you understand it. So what we are, for example, focusing on right now is bringing all analysts into a single pane of glass so that they can collaborate on the evidence and to avoid those situations where look through something as an analyst and your colleague in another time zone looks over it again, right?
That’s a total waste. But we all know that this keeps happening, right? Because with many tools come silos and you don’t really know what has been gone through already. So that’s the investigation experience is what we are focusing on now and I think that’s where the biggest win to go from weeks to days will come in the coming years.
Steve: Shilpi, what does IDC see around the skill shortages? Is there a global message there you could give us?
Shilpi: Absolutely. I mean I said it last two years consecutively skilled shortage was identified as the number one gap. If it’s not an IDC opinion, I would give you my first hand opinion. I’m always firefighting in my own job. I assume all the 50 participants that we have and the call today would agree with me. We as cyber…people in cybersecurity, we absolutely have our hands full all the time, whether we are in SOC, whether we are managing it, product, anywhere. It’s just an acute shortage of skills that the industry has.
And I often talk to CSOs, you can hire 1, you can hire 2, 3, maybe 4 SMEs, but there is never ending…this is a never ending journey. The most common problem, even if you can find talent and hire this talent is that you bring in young people, you train them, they get trained, and then they just move out. So attrition is high, burnout, that Jaana mentioned, is real.
It’s an absolute real thing. In fact, this year in IDCs Futurescape forecast for the worldwide, we had one of the forecasts that 30%…within 30% of people who work in cybersecurity will look to change their roles because of the absolute burnout that they’re facing right now. So if you have 4, 5, 6, 7 scale resource, you cannot simply even think of wasting that talent in the false positive burnout or the reputable manual job burnout that Jaana talked about. You simply cannot. Use them for more pressing tasks, use them for your most prioritized risk. So that’s the IDC point of view.
Steve: That’s gold, I think. Yeah, absolutely. Superb. Thank you. Thank you, Shilpi. Just before we move on, again (conscious of time), just highlighting a few other of the key challenges that came out of the report. So the demand of 24/7 working kind of relates back to that burnout and certainly the need to have a team constantly available. So that was 60% of respondents. So again, quite a high number. The difficulties of collecting evidence from remote assets, that’s absolutely central to what we do at Binalyze. So, the ability to collect full forensic visibility across a network from a central console is basically one of the core value propositions of our product. And threat hunting requirements also an increase in terms of threat hunting requirements.
So we spoken up until this point more about the alert response, breach response, so maybe reactive. But actually with modern DFIR solutions, what we’re also seeing is we can flip that into a more proactive use cases as well. So we can start to do more threat hunting, but because they are faster, because they’re remote, because they’re scalable solutions, it opens up a whole bunch of new use cases where you can start to use that DFIR capability, specifically obviously the forensic level visibility. So that’s interesting that that came out of the report as well.
Helping to collect evidence from diverse sources kind of relates to the collecting evidence from remote assets, I think. And difficulty managing resources from multiple locations is something that we see every single day. I’m sure many of you on the call are from multinational global organizations with a footprint across the world. We certainly have a customer base that kind of looks like that and that does create a lot of challenges in terms of how do you manage those assets when they become compromised or when you think they may have become compromised.
And so solutions that modern solutions that allow you to work remotely, allow you to, from a central point, look across tens of thousands of assets are bringing a lot of value into that. And that obviously goes to our migration into the cloud as well. So some really interesting outcomes from the report in terms of the pain that people are feeling, and aligns again very closely with a modern DFIR solution. So I think we’ll see continued demand for those kinds of products.
Jaana: And just to delve into one thing that you mentioned as well, when we look at in our customer base as well, the teams that maybe are most mature and most sophisticated, then the key strategy that we’ve seen them adopt over the last year, let’s say, to really bring that 277 down is proactive threat hunting. Because again, when you have the capability to collect evidence, targeted evidence at scale and quickly, you can afford that, right? And then you can really get ahead of that 277. So, when I mentioned earlier, let’s try different strategies and maybe one year we’ll get a different result. And I think introducing threat hunting into your process is definitely something that is worth doing. We’re seeing results as well as long as you have the capacity in your team to start doing that.
Steve: Yeah, I think actually this slide also reinforces all of that, Jaana. This one’s really interesting for me actually, the results that we got from the report here. “What’s the most frequent damaging type of incident in your organization?” Not surprisingly, malware, ransomware are the top in terms of frequency and also damage, and things like internal fraud came in lower down.
Still figured, but came in lower down. But then when we asked the second question, which was “what do you use DFIR for?” It actually flips! So currently the market is using DFIR for the internal fraud. So data exfiltration, IP theft was the highest in terms of what they’re using DFIR for, and malware and ransomware whilst not far behind didn’t come in at the top. And I think that that is a symptom of the way that DFIR tools have been built basically in the past.
So legacy tools have been built more for time insensitive use cases like internal fraud investigations, insider threat investigations, things that you will eventually want to take to the court is where you’ve been using those…specifically the DF part of the DFIR.
So my expectation over time and what we’re certainly seeing in the market is that as faster, remote, scalable DFIR solutions like the one we’re building at Binalyze become more available, the market becomes more aware of their capabilities, we will start to see that flip and we can do what Jaana’s talking about, which is start to threat hunt things like ransomware, malware, infections, start to use the DFIR investigation platforms as part of live incident response use cases rather than the time insensitive use cases. So, I think that’s a trend that we are certainly seeing within our business and I think we’ll probably see that play out in the wider market over time as well.
Ransomware for example, is a really great example. It’s a great use case for a remote and scalable DFIR solution. So, you have many examples in the market. I’m thinking specifically of the Irish healthcare that we had a few years ago that Conti ransomware attack that they had. There was, I think it’s 57 days between the breach and the delivery of the payload of the ransomware.
So this is a breach that has not gone alert, that didn’t create an alert, that didn’t trigger any other security system and was then residing in the network for 57 days before it delivered the payload. DFIR delivered at scale and at speed in proactive ways can threat hunt that kind of thing.
So for example, at Binalyze we have a feature called Compare, which is a differential analysis tool that would allow you to go at the forensic level and take snapshots from these critical assets that are sitting on the network and compare them to the week before, or the day before. And that’s a fantastic way of using DFIR, actually, to spot what’s changed, what’s been added, what’s been deleted, but critically what’s been missed by other security systems.
And then unlock a proactive cleanup of something like a ransomware attack before it delivers the payload. So I think that’s a really interesting way that I think DFIR can be used in more proactive ways going forward. Anything to add there, Jaana, Shilpi?
Jaana: I guess I was a bit surprised that business email compromise is so low in the top right now. I think as we go into…if we were to repeat this survey next year, then business email compromise is doing a hockey stick, in startup terms, it’s the the go-to tool for any malicious actor nowadays. And the sad thing is that there’s not a lot of good tooling out there.
So it’s a new problem, not new-new, but it’s in our industry…for the industry it’s a relatively new problem. But again, we’re trying to attack it with the old way of thinking, right? So, I think it will be a bigger problem in a year and we’ll see less and less bit of malware actually as again, we have learned to block more and more of it, but it all starts with the email often.
Steve: So let’s repeat the report next year then Shilpi! I think that’s a request from Jaana, right? I’m doing a terrible job of time management, so we need to move on. Let’s get into what we found in the report in terms of how enterprises are responding to these challenges or responding to these issues within the business. And the top 5 were recruiting more people. We’ll drill into these one by one in a moment. So, I’m just going to kind of set the scene. So recruiting more experienced, highly skilled and training employees: 80%, so very high number. Significantly higher than any other actually.
So again reinforces what Shilpi was saying in terms of that being the number one issue in the industry. Growing the overall size of the team came in second, just, and I guess the alternative to growing the overall size of the team is outsourcing the DFIR activities to somebody else. So, we saw quite a strong response in that way as well. So that will have implications I think for the MSSP channel and the general consultancy channels. And again, that’s something we’re seeing at Binalyze, we’re seeing strong growth in those areas, and strong demand in those areas. So we’ll dig into that a little bit. And then the final two were integrating with other solutions.
So, how do we get more efficiency out of what we’re doing through integration and through automating more processes? So again, I think that’s really good, kind of, validation to what you would instinctively you would think the reaction would be to this kind of problem, but it’s good to see it in numbers, I think.
So looking specifically…we’ve touched on the recruitment side, so we’ll go relatively quickly through this one. We’ve touched on it already in terms of skill shortage. I think the key takeaway from my perspective is yes, this is obviously by far the biggest desire within the market, is just to get more people at the problem. But as we’ve already identified, I’m not sure that in the short term that that’s a realistic objective, because they’re just not bearing the numbers that they need to be.
So I kind of look at this problem in a slightly different way, which is how can we solve this problem through efficiency? How can we solve this problem through upskilling? How can we prevent the burnout by not exposing our teams to that burnout? Shilpi mentioned 30% looking to leave within a period of time like that’s super frightening, right?
So I think whilst this came out as the top priority, the actual solution might be to look at it in a slightly different way in terms of how we can achieve the same thing by building in efficiency. So if you can build 50% efficiency into a process that’s effectively the equivalent of doubling the number of people you have. So, that’s something that we’ve seen with some of our partners already, those kinds of numbers in terms of efficiency gains. So that’s another way of solving this problem, I believe. I’m talking too much. Shilpi, anything?
Shilpi: I think a quick point there, Steve, honestly, I saw the last slides. I think the first two should have been lower and the bottom three should have been higher. Honestly, I know if you say it out here, it might seem odd, but from a perspective of an analyst I believe, why do organizations today think that MSSP or an MDR provider or MDFIR provider is a external entity and if they hire two new people that will be able to do a better job.
So investment in two new people who might just leave after two years or just not be up to the mark is okay, but investing in a DFIR solution is not okay. Why is that so? Because the amount of in-depth experience, vast scale at which the organizations or third parties work simply cannot be bought out from the market in two people. So…or three people, or four people, even a person with three decades of experience because the scale at which the third parties work is phenomenal.
They work across industries, they have playbooks, they have automation, they have R&D departments. So, I mean, I just wanted to make that point. It should be a top criteria for all organizations to look out for third parties and treat them as an extended team and not as an outsider.
Steve: Yeah, I would agree. I would agree. And actually anecdotally, we have a partner (I’m not going to mention the name), but a large global consultancy business that is a really interesting case study which, kind of, lends itself to what you are saying there, which is there were two reasons why they chose to work with Binalyze. The first was that they have an incident response team, a global incident response team, which is a relatively small number of people, very highly experienced, very expensive, and they’re the guys who rock up to major events and do the investigation work.
But underneath that, they also have a network of cyber defense centers with 5,000 analysts in. And so the first reason they wanted Binalyze was we enabled those 25, 30 incident responders, but the main reason was they saw in our platform the ability to democratize DFIR and upskill those 5,000 analysts and that’s a priority for them at the moment.
So that I think is a really interesting signal in terms of where the market’s going and how these MDRs and consultancies are thinking in terms of the DFIR part of the process. They definitely get it. They’re definitely all looking for the ability to democratize this skill and to build that into their services. So I agree with you, I think that outsourcing may go higher in the future and definitely integration and automation should better…more focus should be put into those areas as well. Because the people you want to hire, they’re not there! So we got to do something else.
Jaana: They’re absolutely not there. And when you look at…I think this report also said the 3% of incidents actually never get resolved at all. And why is that true? And I believe one of the key reasons behind this that these are the rare cases where the bad actor isn’t using the top three: malware, ransomware and phishing. They’re doing something else, something clever. And the service providers out there, they have training programs, they have their threat intelligent teams, they do this every single day.
So for enterprises out there, I would urge you to really decide which types of incidents you want to handle yourself and you want to keep that proficiency up and just decide that for all this part we are open and willing to outsource because, again, as Shilpi said as well, it’s not only about the single analyst, you also need to constantly train them. Then they burn out, then you need to give them more exciting jobs, you need to…it’s not just about one analyst in a point of time, it’s a longer journey. And as this chart says as well, companies are looking to outsource more and more and I absolutely believe that that’s a reasonable thing because you can’t handle it internally, all of these. It’s just impossible.
Steve: Okay, want to be respectful of everyone’s time. We have seven minutes left, so he needs to hit the nitro button and go super fast. This slide: the key takeaway, first of all that’s not on the slide was that 77% of organizations are currently outsourcing some of the DFIR capabilities. So it’s already certainly a popular route, but critically also within that cohort that were not outsourcing currently, 60% of them are planning to do so within the next 12 months. So we expect to see a development, a growth, a maturity in the MSSP space, and therefore obviously a demand for mature DFIR capability within those companies as well. So I think that’s the key takeaway in terms of outsourcing.
From the integration side, again, relatively strong, 54% of respondents (as Shilpi says that number should probably be higher, but we’ll find out next year) looking to integrate existing solutions. That is something we’ve paid great attention to at Binalyze, it’s actually one of the first things we did when we started the company. Once we had cracked the ability to collect the digital evidence was build in a webhooks feature that allowed that to then be triggered off of other systems like SIEM, SOAR, EDR.
So that’s something that we really prioritized early on in our journey. And we continue to do that. So we’ve built that functionality out significantly. We’ve also built an API, we have a number of MDR customers who are deeply integrating our DFIR capability into their own MDR, XDR platforms as well and I expect us to see more and more of that going forward.
50% of respondents indicate collecting evidence from on-prem cloud and hybrid environments poses a significant challenge. It absolutely does. It’s going to get worse as we move more into the cloud. Jaana, do you want to speak briefly on our cloud…?
Jaana: The cloud will be the next frontier. And again, today it’s…our customers say that it can take 2 to 3 or even 4 days to collect the required cloud evidence, and that’s insane if actually 40% of cases they close within 4 days or less than 2 days. So definitely a huge win…huge place to optimize. So we’re looking at all the cloud logs, AWS, Azure and more importantly SaaS applications because everything is in the cloud, right? Gmail, MS365, Dropbox and so on.
Steve: Yeah, and that will also bring in that business email compromise…
Jaana: Exactly, because again, who has email servers anymore? It’s all on the cloud.
Steve: I’m going to move on to the last section actually, which is around automation and I think we’ll have maybe a minute for questions! Let’s see. So automation came in at 50%, which I agree with Shilpi actually feels a little low. So, aspirationally we’d certainly like that to be higher. However, there is still…at least half of the market are looking to automate more processes. I think that’s sensible.
As I mentioned already, that’s a key part of what we’ve done really from the beginning at Binalyze, because it does become such an efficiency boost if we can get the human out of the way of these laborious repeat tasks. Shilpi mentioned before about alerts being top of the list in terms of alert fatigue, alert overload being a massive problem.
Well, if you can automate the response to those alerts and trigger an investigation and capture evidence and do some compromise assessment work on top of that evidence and you can do that in an automated way, then you can help to solve some of those issues around alert fatigue, false positive identification. This is where a modern DFIR platform can definitely help resolve some of those issues and build in efficiency, build in scalability, make processes much more consistency at the outset of an investigation, make you 24/7 availability…available. That was again, one of the highlights in terms of the challenges was 24/7 working environment.
So automation can help you meet that challenge. Handling of routine tasks I’ve already mentioned and standardizing the process that we use for consistency. Within an MSSP context, consistent customer experience within an enterprise context, making sure that we’re always doing the right thing and we’re following those instant response plans. It’s very important. Shilpi, would you like to…?
Shilpi: No, I think you’ve covered it all. And automation is the key. The most promising buzzword right now is AI automation and definitely something that you cannot simply ignore at this point in time, because no amount of people, no amount of security investments, technologies can match the scale of the alerts that we have. We definitely need automation because manual processes simply do not scale.
Steve: I agree, I agree.
Jaana: I would have a hot take that actually the number is so low because the teams have been automating for years now and they’re running out of ideas, what else could be automated? Because the low hanging fruits are done, we have picked them, and now the ones that are left are complex processes that are driven by humans, and that’s the next stage to…
Steve: Yeah, makes sense. Alright, we’re at the last one. We’ve got one minute left. So key takeaways: it’s taking too long. Resolution investigation time, 26 days, 17 days on the resolution. So that’s a problem within a wider context of 270, 280 days to actually resolve a breach. So that is creating a lot of challenges within the business. It’s also unavoidable. You will get breached.
So that impenetrable fortress is really not a sensible strategy going forward. Lots of challenges within the investigation process at the moment being driven by too many tools, being driven by diverse systems, by remote working. Those kinds of things are creating a lot of challenges in the investigation process.
We see already and we expect to continue trend towards increased demand for DFIR capability. So, investigation capability proactively, but also post alert, post breach. We are certainly seeing that as Binalyze and I think IDC is also seeing that within the broader market.
The need for integration automation, we’ve kind of hammered that home in the last couple of slides. I hope you got it! It needs to be a priority, it’s a great force multiplier and it’s a great way to build efficiency into the process that could resolve some of the skills gap, and the need for skilled personnel. Yes, if you can find them, but you also have people, your business right now who could be upskilled if you give them the right tools and you democratize that capability that has traditionally lived within very niche experienced teams within the business, release the rest of them to be able to do DFIR work using modern DFIR platforms. I think they’re the key takeaways.
I’m going to skip over this slide because I’d rather hear the questions. Thank you for your time. If you’ve stuck around this far, that’s awesome. Gamze, do we have some questions?
Gamze: Yes, we do have a question around…they would like to understand the comparison between Middle East and US, Central Europe and rest of the world in terms of investigation and resolution times. I think this question is for you Shilpi. So, they want to understand if there’s a change.
Shilpi: Not at the top of my mind, but the numbers look pretty similar. Honestly, 56 days, 57 days, 55 days. This is in total like the 17 plus 27. It’s something that comes up in our surveys very often. Even in the worldwide survey that we conducted mid this year, I think it was close to 52 days. So, it is a norm nowadays. That’s the timeline that people face today.
Steve: Which makes sense, right? Logically that kind of makes sense. I mean there isn’t a regionality to the attack as far as I’m aware, so the response to it should be the same. So, that to me that makes a lot of sense and yeah…weirdly comforting!
Gamze: Thank you Shilpi, Jaana. Steve, we are two minutes over time and thank you everyone who stayed up until this time and we join our webinar. This webinar will be available, the recording will be available, so we are going to send it and we are going to send the presentation deck as well. I dropped the report link to the chat if you want to read the whole report you can download it from there. And we will be answering some of the questions if we missed in the follow-up email that I will send. Again, thank you very much for joining us today and thank you Shilpi, Jaana, and Steve for your time.
Steve:Thank you everyone. Thank you. I appreciate your time. Great to talk.
Jaana: Bye.
