With RSA 2015 and some writing deadlines (while analysts generally enjoy stress-free living, we do have deadlines too!), I almost forgot to study the Verizon’s jam-packed-with-juicy-awesomeness DBIR 2015.
Here are my traditional highlights and favorites from Verizon 2015 Data Breach Investigations Report [PDF].
- Reported insider abuse features in 20.6% [see Fig 24] of all reported security incidents and 10.6% [see Fig 25] of confirmed data breach insiders (so not surprising: insider threat still doesn’t matter much to most – and based on this data, it really should not [of course, there are situations where it matters A LOT. Hi Snowden!])
- RAM scrapping has grown a lot [hi PCI DSS!] “RAM scraping has grown up in a big way. This type of malware was present in some of the most high-profile retail data breaches of the year” [in plan English: encrypt all traffic including on the LAN? Encrypt all stored card data? Well, duh, you are still screwed! :-(]
- “Even worse, the two lines [time to compromise and time to discover the compromise] are diverging over the last decade, indicating a growing “detection deficit” between attackers and defenders. We think it highlights one of the primary challenges to the security industry.” <- self-explanatory reminder of the 1980s security mantra “prevention / detection / response”
- Fun threat intel (TI) fact: many threat intel feeds do and do not overlap (!). Huh? Research by Niddel [now included in DBIR – hi Alex!] revealed that so-called inbound TI feeds (scanning, spam, etc) overlap a lot, while outbound feeds (exfil, malware C&C) do not (see page 8 for details). Thus “if threat intelligence indicators were really able to help an enterprise defense strategy, one would need to have access to all of the [TI] feeds from all of the providers to be able to get the “best” possible coverage.” (so, get a TIP?)
- I liked their new data-driven pre/post-breach coverage, new this year. For example, this data-driven tip on patching: “We found that 99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published” and “Figure 13 demonstrates the need for all those stinking patches on all your stinking systems.”
- My SHOCK OF THE YEAR: “Consistent with some other recent vendor reports, we found that 70 to 90% (depending on the source and organization) of malware samples are unique to a single organization.” <- I knew custom / unique malware is not uncommon, but I didn’t know that the numbers are that high [bye AV!]
- Another fun bit: a stolen record costs roughly …. not $188, not $201, but $0.58, if averaged over all breaches, including hyper-mega-breaches! Well, a better model (see the report for details) seem to peg the cost in $52-$87 range per record, depending of course on breach size due to fixed cost not associated with the record count.
- Mobile malware really doesn’t matter: “An average of 0.03% of smartphones per week—out of tens of millions of mobile devices on the Verizon network— were infected with “higher-grade” malicious code.” [again, as with insiders, there are cases where it matters A LOT – hi Inception!]
- Credential abuse still reign supreme [hi 1980s!]: “Pulling back from a single industry view, we find that most of the attacks make use of stolen credentials, which is a story we’ve been telling since 1 A.D.48 Over 95% of these incidents involve harvesting creds from customer devices, then logging into web applications with them.”
In any case, go read the report!
- RSA 2015: Rise of Chaos!
- Insider Threat: Does It Matter Now? And How Much?
- Highlights From Verizon PCI Report 2014
- Verizon DBIR 2013 Highlights and Favorites
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.