Gartner Blog Network


Highlights From Verizon Data Breach Report 2015

by Anton Chuvakin  |  May 18, 2015  |  2 Comments

With RSA 2015 and some writing deadlines (while analysts generally enjoy stress-free living, we do have deadlines too!), I almost forgot to study the Verizon’s jam-packed-with-juicy-awesomeness DBIR 2015.

Here are my traditional highlights and favorites from Verizon 2015 Data Breach Investigations Report [PDF].

  • Reported insider abuse features in 20.6% [see Fig 24] of all reported security incidents and 10.6% [see Fig 25] of confirmed data breach insiders (so not surprising: insider threat still doesn’t matter much to most – and based on this data, it really should not [of course, there are situations where it matters A LOT. Hi Snowden!])
  • RAM scrapping has grown a lot [hi PCI DSS!] “RAM scraping has grown up in a big way. This type of malware was present in some of the most high-profile retail data breaches of the year” [in plan English: encrypt all traffic including on the LAN? Encrypt all stored card data? Well, duh, you are still screwed! :-(]
  • “Even worse, the two lines [time to compromise and time to discover the compromise] are diverging over the last decade, indicating a growing “detection deficit” between attackers and defenders. We think it highlights one of the primary challenges to the security industry.” <- self-explanatory reminder of the 1980s security mantra “prevention / detection / response”
  • Fun threat intel (TI) fact: many threat intel feeds do and do not overlap (!). Huh? Research by Niddel [now included in DBIRhi Alex!] revealed that so-called inbound TI feeds (scanning, spam, etc) overlap a lot, while outbound feeds (exfil, malware C&C) do not (see page 8 for details). Thus “if threat intelligence indicators were really able to help an enterprise defense strategy, one would need to have access to all of the [TI] feeds from all of the providers to be able to get the “best” possible coverage.” (so, get a TIP?)
  • I liked their new data-driven pre/post-breach coverage, new this year. For example, this data-driven tip on patching: “We found that 99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published” and “Figure 13 demonstrates the need for all those stinking patches on all your stinking systems.”
  • My SHOCK OF THE YEAR: “Consistent with some other recent vendor reports, we found that 70 to 90% (depending on the source and organization) of malware samples are unique to a single organization.” <- I knew custom / unique malware is not uncommon, but I didn’t know that the numbers are that high [bye AV!]
  • Another fun bit: a stolen record costs roughly …. not $188, not $201, but $0.58, if averaged over all breaches, including hyper-mega-breaches! Well, a better model (see the report for details) seem to peg the cost in $52-$87 range per record, depending of course on breach size due to fixed cost not associated with the record count.
  • Mobile malware really doesn’t matter: “An average of 0.03% of smartphones per week—out of tens of millions of mobile devices on the Verizon network— were infected with “higher-grade” malicious code.” [again, as with insiders, there are cases where it matters A LOT – hi Inception!]
  • Credential abuse still reign supreme [hi 1980s!]: “Pulling back from a single industry view, we find that most of the attacks make use of stolen credentials, which is a story we’ve been telling since 1 A.D.48 Over 95% of these incidents involve harvesting creds from customer devices, then logging into web applications with them.”

In any case, go read the report!

Related posts:

Category: security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Highlights From Verizon Data Breach Report 2015


  1. Ash Kumar says:

    Great synopsis!

    The two points that stick out are the myth of the Threat Intel and the uniqueness of malware.

    One other key takeaway was the lifespan of a malicious host being on an average under 17 minutes.

    Threat Intel: It is time to separate the wheat from the chaff. Intel sources such as those from Cyveillance reflect long term company or individual reputation damage and are of definite value. The ‘bad’ IP lists, as you observed are of little value. In addition, the fact that the effective life span of a malicious host is 17 minutes, your reaction time is shrunk to a point where it provides limited value. Any subscriber to lists such as those hosted by AlienVault, WildFire etc would have observed this. A large percentage of samples uploaded to the analysis sites have never been observed before so you are patient zero most of the time. In addition, the proliferation of sandbox evasion has rendered these cloud based analysis crippled.

    Malware: It is time to ditch plan B (traditional signature based AV) and resort to Plan A. Sandboxed execution vis-a-vis Invincea etc. probably still provide value but are likely to provide diminishing returns. Techniques such as those proposed by Cisco AMP and PaloAlto TRAPS show promise by injecting code to block known malware techniques and prevent execution of malware. However, in my experience these perform better on marketing slides than in a POC so far.

    Cheers,

    Ash

  2. Michelle Genser says:

    Hi Anton,

    Great breakdown. This report and the Global Security Report from Trustwave are always great reads, but often times, there isn’t enough time in a day to get through the entire thing. I appreciate the breakdown of the most critical points, as well as your humor. Great take away for me and others.

    Thanks,
    Michelle



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.