We started a CIRT in 2002 but the first siems were a nightmare. Endpoint agents have changed our visibility incredibly but on the whole, corporations are still trying to keep up. It seems like every year is an article about “Hey, you still might want to do some IR”
I recall having Fireeye first hitting us up back in 2006? Maybe 7 and them trying to demo their MAS and me saying, “Bullshit. You don’t do that.”
But they sure did.
In the old days we would have to rely on tedious processes for memory analysis but I think the technology and skillsets are evolving enough where we can make better evaluations on less information and not have to rely on deep rabbit hole investigations if not necessary.
The training has skyrocketed in the past few years and so has access to information and resources. More social media people to follow and spreading of information. Here, for example, I think I’ve learned the most in the last few years.
But staying sharp is still and always will be an issue. You won’t see or come close to all threats. I myself have never been impacted by Ransomware but you better know how to get up to speed for it. Many people look at those IRs as the person to tell them and understand everything about what is being breeched. We can’t. Not an AD admin but you’re going to learn about AD, ticketing, service accounts and lord knows whatever else nightmares your own SAs are “hiding” from you.
I’d say that one man many hats model doesn’t fly anymore. Run from anything that isn’t departmentally organized well.