When we take a look at the last ten years, what's changed in attacker methodology, and how has it changed our response? Some old-school methods continue to find success - attackers continue to opportunistically exploit old vulnerabilities and use weak/stolen credentials to move around the network. However, the work of the good guys, reliably detecting and responding to threats, has shifted to accommodate an attack surface that now includes mobile devices, cloud services, and a global workforce that expects access to critical information anywhere, anytime.

Today, failure across incident detection to remediation not only results in risk for your critical data, but can result in an attacker overstaying their welcome. We discussed this topic with our incident response teams, who have responded to hundreds of breaches, to develop a new whitepaper that shares how Incident Response has changed and how they prioritize strategic initiatives today. This comes with a framework we use with customers today to measure and improve security programs. Download your copy of A Decade of Incident Response: IDR Evolution & Evaluation here.

Incident Detection & Response, Then and Now

Since 2006, every step in breach response has continued to evolve – this infographic highlights key differences. For example, breach readiness was an afterthought to availability and optimizing the speed of business processes. Previously, there was little chance of falling victim to a sophisticated targeted attack leveraging a combination of vulnerabilities, compromised credentials, and malware.

But today, IT teams are expected to prepare thoroughly in the event of a breach, implementing network defense in depth and organizing and restricting data along least privilege principles. If we look back a decade, it was much easier to retrace how and where an incident occurred and respond accordingly. Today's IR pros must combine expertise in a growing list of areas from forensics to incident management and ensure breach response covers everything from technical analysis to getting the business back up and running.

On the other hand, at containment and recovery has continued to improve over the past decade. Thanks to well-rehearsed programs, combined with system image and data restoration processes, IT can return a user's machine in just a day. Security teams can contain threats remotely and use technology to provide scrutiny over previously compromised users/assets.

Incident Response Maturity

You can find out more on all of this in the infographic and the new Rapid7 whitepaper: A Decade of Incident Response. Too many security professionals are concerned with how their programs compare to those of their peers. This is the wrong approach. As you evolve your security program, worry only about one thing: how your program measures up against your attackers.

In the paper, you're asked seven questions to determine the maturity of your Incident Detection and Response program. We've based this framework on decades of Rapid7 industry experience and we think it'll provide a great place to start evaluating where you need to make changes. Want to learn more about Rapid7's technology and services for incident detection and response? Check out InsightIDR, which combines the best capabilities of UBA, SIEM, and EDR to relentlessly detect attacks across your network.

Eric Sun