Verizon has released its 2015 Data Breach Investigations Report (DBIR). This year’s report is based on the analysis of more than 2,100 confirmed data breaches, and roughly 80,000 reported security incidents.
This year's DBIR covers a wide range of topics, including breach trends, phishing, vulnerabilities, malware, cybercrime, and insider threats. For the first time, the report also provides an overview of Internet of Things (IoT) technologies, mobile security, and the cost of data breaches.
The report highlights the fact that while cyberattacks have become increasingly sophisticated, many of them (70 percent) still rely on a combination of two very old techniques, namely phishing and hacking.
Another important take from the report is that while organizations should not ignore the risks associated with mobile devices and IoT, there are other areas that should be treated as a priority when it comes to protecting data.
With the release of the 2015 DBIR, Verizon has introduced a new model for estimating the cost of a data breach. The model, which the company describes as “groundbreaking,” estimates that the cost of a breach involving 10 million records is between $2.1 million and $5.2 million, but it could be as high as $73.9 million.
Experts contacted by SecurityWeek have commented on various topics in the report, including the accuracy of this cost model, the importance of threat intelligence, defenses, and the time it takes organizations to detect breaches.
And the feedback begins…
Wade Baker, Vice President of Strategy and Risk Analytics at ThreatConnect:
"Verizon’s 2015 DBIR has evolved dramatically since its inception back in 2008 when I created it. Having led the team that produces it since then (including the new 2015 edition), I am very proud of what it brings to the industry each and every year. In thinking of what was the next 'big thing' realized that wider, real-time use of the type of threat information Verizon cross-references for its annual report is ultimately the key to combating adversaries with true threat intelligence. Organizations need more than just one-off intelligence 'feeds' to get the job done.
One of the most important takeaways from the report is the need to close the gap between sharing speed and attack speed. Three-quarters of attacks with common indicators of compromise (IOCs) spread from the first victim to the second victim within a day. That’s huge. With IOCs come a relatively short shelf life, often lasting only hours between their first and last observation. This emphasizes the need as a community to collect, analyze and disseminate intelligence quickly in order to create a kind of 'herd immunity' where we’re all safer together.
When looking at the detection deficit, it’s clear that attackers are still moving at a more rapid speed than many are able to defend. While the deficit was lower than before, attackers are still in the lead which begs the question – how do we close the gap? It’s intelligence. It’s working together as a community to provide insights, analyze the data and use a collective platform that provides real, digestible and actionable intel which enables companies to defend themselves with agility."
David Amsler, President and Chief Information Officer of Foreground Security:
“This report reinforces a clear and dramatic shift from insiders being the largest threat to the largest threat being from outsiders—mostly motivated groups using everything from advanced techniques to standard and most successful spear phishing attacks.
I think the model for projecting the cost of a breach is completely flawed and entirely too simplistic. The "type" of record and the criticality of that "record" makes their model entirely inaccurate. For instance, there is a significant difference between phi records then standard pii records. Then you get into corporate documents that range from classified all the way to informational.”
James Bindseil, President and CEO of Globalscape:
“The annual Verizon Data Breach Investigations Report (DBIR) highlights a serious risk that is often overlooked at a time when software-as-a-service and frictionless collaboration are all the rage. The amount of information being saved and shared in the cloud with file sharing and collaboration apps is skyrocketing, but companies need to consider the risks inherent to putting users in near full control of what data they share in the cloud and outside the view of IT security.
The report highlights the risks of cloud-based collaboration, which is especially prevalent in distributed and virtual work environments where telecommuters, partners and contractors may require expedient access to intellectual property. In such cases it’s easy to lose sight of information security best practices. The DBIR describes these as a “flexible and attractive vehicle for companies and individuals to remotely access documents,” but that also makes cloud-based collaboration apps a flexible and attractive target for hackers or simple human error.
The fact is, trusting sensitive data—an organization’s crown jewels, so to speak—to a public cloud application may not be an option for companies in risk-averse industries such as healthcare or financial services. Retaining the control and governance required by regulations such as HIPAA, PCI-DSS and other data security laws may put the draw of the cloud in conflict with the need to keep data within the purview of IT security. Where security is of significance to the organization, it is recommended that on-premises solutions be deployed that can provide the functionality users want but also have the security and governance that the organization requires.”
Scott Shreve, Product Manager, iSIGHT Partners:
"The DBIR specifically calls out the value of threat intelligence with good guidance on the importance of context vs. a dump of raw indicators. Certainly, anything that leads to the discovery of an incident is worthwhile, but in most cases, context is key… context enables a wider audience to make additional determinations that enable a broader defensive capability. This guidance shows me that more and more, the broader industry is actually starting to get it. They understand it’s not how often your intelligence is refreshed that makes it valuable. They “get” that more isn’t necessarily better. Most importantly they get what we have been saying for years. Context is key.”
Ivan Shefrin, VP of Security Solutions at TaaSera:
“The latest DBIR data describes (on page 6) the widening ‘detection deficit’ between attackers and defenders over the past decade. It’s a stark reminder of just how inadequate layered perimeter and endpoint defense strategies have become. In response, we see a growing move toward breach detection systems (BDS) to detect and preempt ongoing attacks that get past existing prevention systems. I think this signifies the industry is finally rising to the breach response challenge.
In light of the White House’s and others’ calls for information sharing, the DBIR threat intelligence findings are notable. Because intelligence feeds are so varied, the report concludes defenders would have to ingest and act on ‘all of the feeds from all of the providers’ to get the best possible coverage (see page 9). A more practical approach is for security organizations to detect patterns and behaviors indicative of ongoing breach activity, and use that data to analyze threat intelligence through automated contextual analytics. If you can’t analyze internal breach behavior data, it’s hard to make threat intelligence actionable.”
Jody Brazil, CEO of FireMon:
“With the continued advancement of preventative technologies and efforts to catch emerging attacks at the network perimeter, it’s interesting to see that Verizon still continues to highlight a general “detection deficit disorder”. Coupled with the finding that most attacks occur in a very short period of time after the initial compromise, this speaks to the fact that it remains extremely difficult to identify and prevent threats in anywhere close to real-time. As a result, the clear takeaway is that organizations must continue to focus their efforts on strengthening and improving existing defenses. Taking a more comprehensive, proactive approach to risk mitigation remains the most viable alternative, coupled with advanced threat detection methodologies.
Related to the use of threat intelligence, there’s clear evidence, and guidance from Verizon’s experts, that applying meaningful context to the use of this data is the only way to make it more useful and actionable. Given the speed at which threats appear to evolve, being carried out very quickly after any first instance of detection, and typically prior to useful information sharing can take place, the ability to understand how this intelligence can be leveraged to mitigate related risks is obviously a huge enabler from the standpoint of response. For instance, if certain patterns emerge where specific attacks are leveraging known techniques to take advantage of certain ports or applications on the network, having a clear picture of existing network traffic flows in order to mitigate related exposure would be a tremendous advantage.”
Rob Sadowski, Director of Tech Solutions for RSA:
“This year’s report continues to illustrate that the most important capability that most organizations need to develop or improve is threat detection. The data again shows the wide gap between attackers and defenders in this area: in 60% of cases, attackers are able to compromise an organization within minutes, and more than 80% of the time attackers can accomplish their goals within days, while defenders struggle to discover breaches, doing so in days less than 25% of the time. Clearly, time is of the essence, and the speed with which organizations can detect and respond to attacks is the biggest determinant of their security posture and resilience today. This critical capability will only increase in importance as attacks and attack campaigns continue to become more sophisticated.
The report also provides convincing evidence that attention to basic security “blocking and tackling” can still go a long way in helping to prevent breaches. The fact that 99.9% of exploited vulnerabilities were compromised more than a year after a CVE was published shows that a prioritized, diligent approach to vulnerability management can have a major impact on an organization’s resiliency to attack. Unfortunately, this is an area where most still lag; recent RSA research into breach readiness showed that more than 40% of organizations don’t even have a basic vulnerability management program in place.”
Marie White, CEO and President of Security Mentor:
“The latest Verizon Data Breach Investigations Report, along with other recent reports from Symantec and other companies, reconfirm the fact the end user is both the greatest asset, and the greatest risk, when it comes to preventing successful cyberattacks. Similar reports have been coming out for more than a decade.
Effective, engaging, end user training is essential, and not just for stopping employees from clicking on malicious links or giving away sensitive access or information. Well-trained employees who know what to do and how to do it will help identify issues on the front lines and be the best cyber defense overall.
In addition, security incidents not only happen because of phishing. We can get lulled into believing that preventing phishing is everything, but there are significant risks associated with the Cloud, BYOD, and lost devices, as well as other new technologies always are on the horizon. Social media access at work is also making the problem more complicated and the problem is growing.”
Gautam Aggarwal, Chief Marketing Officer at Bay Dynamics, on the human element, privilege abuse, and insider threats:
“People are the most valued asset of an organization and, unfortunately, also one of the primary causes for increased business risk due to their unusual behavioral nuances or by becoming an easy target for attackers. Key user related incidents include attacker masquerading as malicious insider, a trusted employee showing unusual user behavior as compared to self or peers, and unintentional user errors or policy violations seen from a trusted user. To add to organizational woes, a threat actor gaining privilege account access or a trusted user showing risky user behavior based on distributed access patterns across multiple critical assets within the organization is a major concern for organizations that requires continuous monitoring and vigilance.
Organizations should focus on early detection and predictive protection by proactively identifying unusual user account activity indicating potential human level prospecting; continuous monitoring for high risk users who do not have an established norm and their patterns of access show diverse and risky behavior. They also need to be prepared for the unintended insider threat. This can often be remediated through additional auditing via a just-in-time training process. Ultimately, companies should seek comprehensive visibility across users, systems, applications, and data.”
John Linkous, Security Strategist at Promisec:
“The single most telling – and damning – statistic from this years’ Verizon Data Breach Investigations Report (DBIR) is found on page six. The chart on that page identifies the gap in time between the time to compromise data, and the time to discover that compromise. Once again, this gap continues to be significant, and it continues to increase. What that critical metric tells us is that we’re not keeping up with the bad guys.
Of course, that’s not for lack of trying: security product vendors have sold billions of dollars of software and gear to enterprises under the auspices of threat detection, blocking and response. Even smaller organizations, who have long suffered under the fact that they deal with the same threats as the Fortune 500 yet have far smaller security budgets, can now utilize cloud-based security services and managed security service providers (MSSPs) that allow them to acquire advanced security capabilities at a fraction of the cost of on-premise software and hardware. Yet, enterprises of all sizes continue to fail at detecting data breaches within their environment. What that metric from the 2015 DBIR tells us is that we don’t have a security information problem… we have an actionable intelligence problem.”
Vijay Basani, CEO of EiQ Networks:
“Top verticals to experience a security incident and confirmed breach pretty much remained the same. But the % increases in reported security incidents changed pretty dramatically in certain verticals. The financial sector seems to have gotten better at detecting and mitigating the security incidents and their impact. As a result we saw a meaningful % reduction in number of reported security incidents (25%) and confirmed breaches (40%) over 2014 data.
This can be attributed to the fact that financial services (especially larger organizations) allocate meaningful budget and resources to address cyber security challenges. As a result they are better equipped to detect, prevent and respond to potential attacks. They also have more resources to protect their IT assets, and are on the bleeding edge with regards to improving their human networks via security awareness training program. Financial services organizations implement comprehensive security programs and enforce better security controls.”
Carl Wright, general manager of TrapX:
"Verizon’s 2015 DBIR should be a wakeup call for enterprises. While half of organizations experience 35 or fewer days of caught malware events during an entire calendar year, organizations continue to suffer high-profile attacks that compromise tens of millions of customer records while damaging brand and reputation. In short – attackers are still getting through traditional perimeter and endpoint defenses and they are doing so at an increasing rate.
Over the last 12 months, global enterprise organizations like Target, Sony, JP Morgan Chase and Anthem all experienced record-breaking cyber attacks. Most recently, we discovered that the attack against Sony could be easily replicated by hackers, proving you don't have to be a powerful nation state or well-funded crime organization to inflict significant damage on a U.S. corporation. And while the report throws out some jaw dropping statistics about the volume of malware, let's not forget that attackers only need to successfully infiltrate one machine in order to get the keys to the kingdom. It’s that easy.”
Muddu Sudhakar, CEO of Caspida:
"This year’s Verizon Data Breach Investigations Report highlighted two alarming trends on the security landscape -- cyberespionage and the growing insider threat – that can cause significant long-term damage to an organization from both the outside and from within.
In short, organizations should assume that attackers – whether malicious insiders or external threats -- are already within their network and intend to steal critical data. Organizations need to assume that they will be breached and compromised. To combat these threats, they need to create a proactive security strategy, which includes deploying a next generation of cyber defenses, with the goal of rapidly identifying imminent attacks and aggressively taking preventative action."
Steve Hultquist, chief evangelist at RedSeal:
“There are no surprises from this year's Verizon data breach report, but it provides further encouragement to improve the efforts that every organization knows it should be taking. The biggest challenge continues to be the complexity of enterprise networked environments, and, when coupled with the continued organic growth and change to it, it is literally impossible to maintain a consistent, complete, and current picture of the risks without automated analysis of every possible access path and all of the potential targets for that access.
The report makes clear that it's not new and emerging threats that are the greatest concern, but the limited implementations of known issues that allow the access that causes the breaches.”