Here is my collection of favorites and highlights from Verizon 2013 Data Breach Investigations Report [PDF]
- “If your organization is indeed a target of choice, understand as much as you can about what your opponent is likely to do and how far they are willing to go ” <- a REALLY key point!
- “State-affiliated actors tied to China are the biggest mover in 2012. Their efforts to steal IP comprise about one-fifth of all breaches in this dataset.” <- 1/5 is HUGE!!! I expected a lot, but not that much, to be honest.
- “Collect, analyze, and share tactical threat intelligence, especially Indicators of Compromise (IOCs), that can greatly aid defense and detection.” <- a great recommendation indeed!
- “In a streak that remains unbroken, direct installation of malware by an attacker who has gained access to a system is again the most common vector. ” <- however, this does NOT mean that “threat = malware”!
- “State-affiliated actors often use the same formula and pieces of multifunctional malware during their campaigns, and this is reflected in the statistics throughout this report.” <- this means that even when specific signatures fail, detecting higher level patterns of activity will work well!
- “more than 95% of all attacks of this genre [= espionage] employed phishing as a means of establishing a foothold in their intended victims’ systems.” <- sure, why change if this works well for them?
- “With respect to mobile devices, obviously mobile malware is a legitimate concern. Nevertheless, data breaches involving mobile devices in the breach event chain are still uncommon.” <- keep this in mind before freaking out over “MOBILE THREATS!!!”
- “Some interpret attack difficulty as synonymous with the skill of the attacker, and while there’s some truth to that, it almost certainly reveals much more about the skill and readiness of the defender.” <- NO COMMENT
- “Approximately 70% of breaches were discovered by external parties who then notified the victim. This is admittedly better than the 92% observed in our last report” <- I am pretty sure that a token optimist on the team inserted this statement in the report …
- “Matching this [collected from various sources] IOC library with victim-side evidence kick starts an investigation and allows for much quicker and more effective progress.” <- please print this and post in your cube
- “As history has shown, focusing on finding specific vulnerabilities and blocking specific exploits is a losing battle.” <- planning to buy a new/better scanner? Are you sure? CAN you patch as fast as the scanner can scan? NO!
Finally, at the risk of quoting too much – my favorite table from the report is shown on the right.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
As for the last piece (table), I think you highlighted the Log Review Review % to signify it is so low.
I think it goes to show how challenged the security profession is in discovering incidents with SIEM or similar solutions. I wrote about the “detection problem” almost two years ago. http://rnc2.com/regulatory-compliance/hipaahhitech/you-dont-know-what-you-dont-know-do-we-have-a-detection-problem-with-the-healthcare-data-breach-numbers/
It doesn’t look like we are getting better at discovering incidents when the data may be in plain sight… in the logs.
Thanks for the comment. Indeed, few orgs take advantage of that – but there is a long list of reasons why…
I enjoyed the read and appreciate your perspective given your expertise. I take issue with your lesson from the snippet you quoted: ““As history has shown, focusing on finding specific vulnerabilities and blocking specific exploits is a losing battle.”
You say “planning to buy a new/better scanner? Are you sure? CAN you patch as fast as the scanner can scan? NO!”
Am I read into that that we shouldn’t be scanning and reducing vulnerabilities? Elsewhere in the report the recommendation is clear “Without deemphasizing prevention, focus on better and faster detection … ”
Advocating for more detective controls shouldn’t be done at the expense of the preventative controls.
Doug, thanks for your insightful comment. Indeed, this is a subject of a debate – not a certainty. It is a very useful discussion to have in the industry.
>Advocating for more detective controls shouldn’t be done at the
>expense of the preventative controls.
Ok, as a vaguely positive pronouncement, that is fine, of course.
However, every control gets implemented “at the expense of” some other control since $$$ are limited.
Will I *IN SOME CASES* today recommend implementing an effective detective/investigative control in favor of [possibly] ineffective preventative control? – You bet I will.