The soon-to-be released data breach report from Verizon will provide a more extensive picture of cyber-crime worldwide than previous reports, its principal author said in a press briefing at the RSA Conference Tuesday evening.
The Verizon 2013 Data Breach Investigations Report has data breach-related data from more partners than in previous years, Wade Baker, managing principal of the Verizon RISK team and principal author of the DBIR, said at the briefing. Verizon also expanded the types of security events analyzed for the report, expected to be released sometime this spring.
Baker did not indicate when the report will be officially released, but said researchers were still hard at work studying the data.
The report contains data from 18 different organizations, compared to last year’s five, Baker said. Verizon uses the information gathered by its own Verizon Research Investigations Solutions Knowledge (RISK) team for the report. Companies who suffer a breach call Verizon RISK for incident response and mitigation. The US Secret Service, Australian Federal Police, Dutch High Tech Crime Unit, and Irish Reporting and Information Security Service (IRISS-CERT) also contributed data to the report last year, as well as this year.
“The additional contributing security organizations will enable us to paint an even clearer picture of the threat landscape facing businesses today,” Baker said.
In addition to data from Verizon RISK, the report included data from CERT Coordination Center at Carnegie Mellon University, Consortium for Cybersecurity Action, Danish Ministry of Defence’s Center for Cybersecurity, Danish National Police’s National IT Investigation Section, Deloitte, Electricity Sector Information Sharing and Analysis Sector (ES-ISAC), European Cyber Crime Center (EC3), G-C Partners, Spain’s Guardia Civil, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), Malaysia Computer Emergency Response Team (MyCERT)’s CyberSecurity Malaysia, National Cybersecurity and Integration Center (NCCIC), ThreatSim, and the US Computer Emergency Readiness Team (US-CERT) for the first time this year.
The partners cover a broad spectrum of sources, from law enforcement, to ISAC/CERT-type organizations, to private sector firms, Baker said at the briefing. This level of variety means researchers are able to gain visibility in areas they did not have a lot to say about in the past, such as industrial control systems, Baker said.
This year’s report will include security events such as distributed denial of service attacks, network intrusion, insider misuse, and attacks against the energy and critical infrastructure sectors, Verizon said. Verizon now has a dedicated ICS team, but partnering with ICS organizations has expanded the amount of data available for the report, Baker said.
Verizon RISK has been analyzing data since 2004 and published six reports to date. Over the past nine years, the team has analyzed 2,500 data breach disclosures and 1.2 billion compromised records, according to Verizon.
All DBIR contributors use the Verizon VERIS framework to input breach-related data so that researchers could objectively classify and analyze the security incidents. The framework uses a common language and structured process to make the analysis possible.
“The common language is critical, as there is currently no universal language that describes security incidents or an industry standard for the development of risk metrics,” Baker said.
Information sharing is a challenge, Baker said, noting that if it was easy, “it wouldn’t be as talked about.” In a panel discussion at the press event, Brian Honan, CEO of IRISS-CERT, said information sharing wouldn’t be possible if breached organizations didn’t trust CERT-level organizations to safeguard the details of the incident.
Dawn Cappelli, director of the software engineering Institute’s Insider Threat Center at the CERT Coordination Center noted that confidentiality was even more critical when asking organizations to talk about insider attacks. These incidents are not perpetuated by someone halfway around the world, but someone who the company trusted, Cappelli said. It is “very personal,” and the level of detail provided about how the breach was performed would not be possible if there was no expectation of confidentiality and trust, she said.
“Today’s cyber-landscape remains a tough one to navigate, and unfortunately, we believe it will continue to remain challenging in 2013,” Baker said.
