It’s that time of year again. The fine folks at Verizon, in conjunction with a number of law enforcement agencies, have this year produced their excellent Data Breach Investigative Report (DBIR), an annual statistical analysis into global data breaches. Before I ruminate on the results of this year’s report, I think we all owe Verizon a debt of gratitude for publishing it every year – not because it’s some sort of Rosetta Stone for deciphering all possible attack vectors (it’s not), or because it necessarily portrays an accurate or complete picture of the global state of information security (it doesn’t). What it does, however, is give all of us some factual reference points that we can look to as anecdotal evidence that, when it comes to information security, many (if not most) organizations are doing it wrong; and for that, the Verizon team should be commended.
Now, on to the pithy analysis: if you’ve read the report, you're probably thinking that things are improving. After all, the majority (58%) of documented attacks were perpetrated by politically-motivated hacktivists who suddenly appeared en masse on the horizon last year. A trifling 4% were by so-called insiders, and that leaves only one-third of successful data breaches carried out by traditional cybercriminal “bad guys”. The cost of dealing with the fallout from breaches is also falling, according to the report. So we can all breathe a collective sigh of relief, pat ourselves on the back, and congratulate each other for a job well done, right?
Yeah … not quite. What about the 97% of attacks that were avoidable with “basic or intermediate” security controls? What about the 69% of attacks that involved malware? Or the fact that 92% were discovered not by the breached organization, but by a third party? What about the 85% that took more than two weeks to discover? The 94% that compromised servers? What about the (statistically certain) thousands of successful breaches that have yet to be discovered?
Let's look closely at the first statistics from the report: 97% of breaches that took place in 2011 were avoidable with just “basic” or “intermediate” controls. We’re not talking rocket-science stuff here: this is the domain of reasonable password policies, patch management and access controls. Does that not worry you? It worries me; when 97 percent of surveyed businesses don’t have the ability to repel an attack through implementing straightforward security controls that everyone “knows” are the right way to do security, that’s a big problem. If they can't protect themselves from the simple stuff, what hope do they have of protecting their environments from something - anything - more sophisticated?
The truth is, none.
As for the 92% of data breaches that were discovered by a third-party, this tells us one glaring fact: regardless of the voracity that security product vendors use to promote the specter of APTs and insider threats, whether these security boogeymen are real or not doesn't really matter. If they are, it’s clear that the majority of organizations will have no effective defense against them anyway. The point is that current tools and possibly even methods that organizations use to “do” security are not giving them a picture that is sufficiently broad, granular or real-time to detect these things – and that must change. On the plus side, there appears to be some hesitant movement by some vendors – SIEM vendors come to mind – that their products don't offer what security analysts need, and some of these forward-leaning vendors are trying to do something about it. But the Verizon DBIR shows that, clearly, we’re not there yet.
My other concern is that the Verizon DBIR could easily be misused by well-intentioned people who are trying to answer that age-old question, “How does my security program compare with others in my industry?” This is, of course, a completely irrelevant question that’s akin to comparing apples and kangaroos. Just as they don’t share revenue, competitors don’t share risk, and so one organization’s investment in security matters not when compared to another. While the Verizon DBIR provides a lot of industry-specific analysis, that data – just like false assumptions about how much better organizations are getting at security – has all its devil in the details.
I'll talk more about this in my next post, and look at the metrics that organizations should be using to ensure that their information security systems and processes deliver the best protection they can for both infrastructure and data within their environment.