Well, we are deep into the security report season. What started as a drizzle with the RSA conference has turned into a torrent. Of course, the Verizon Data Breach report has become the big dog of security reports, but it is far from alone. Many of these reports contain some great data and metrics. But overall, reading through them I get the impression that I don't need the weatherman to tell me it's raining. I can just look outside and see that for myself.
Wouldn't it be great if we could take these trends and see what the next big attack vector is going to be? Yes it would, but unfortunately most of us won't know the next big attack vector until we see write-ups in next year's reports.
Unfortunately, as my friend Michael Farnum tweeted, "Calling all InfoSec speakers with no imagination! Your 2014 material is ready! Go get your Verizon #DBIR today!" As Michael later explained, it doesn't mean the Verizon DBIR is not full of great information, it just means that it doesn't take the place of doing real security and staying vigilant.
With the Verizon report being in its 10th year, there is some great historical perspective on breaches over the last decade. I am not saying that you can't take this data to project over the next year. I am saying, though, that the way security works, next year we will probably read about some new attack vector or method that the bad guys use to breach.
But let's not pick on the Verizon Report, there are some other reports that are pretty good too. One is the Alert Logic Cloud Security Report, another good report full of some great metrics and research on the different types of attacks against cloud-based infrastructure versus on-premise infrastructure. This is the third or fourth year for the Alert Logic report. Each year it gets better and better and gives us a good idea of how threats, and in turn security in the cloud differs from on-premise security.
Other reports are PWC Global State of Information Security, The TrustWave Security Pressure Report, The 2014 Cisco Annual Security Report, The Sophos Security Report, the Firemon/Ponemon Institute report I wrote about last week, and the Symantec Report.
Each and every one of these reports is great in its own right. They can arm you with all of the facts and figures you need to make your case on why your security team needs more budget. As Michael Farnum said, it is an InfoSec speaker's dream with enough facts, charts, and graphs to keep us going all year long.
But after having gone through all of these reports I felt like I was watching the TV weather report telling me it's raining while I could just look out a window. All of these reports are remarkably consistent. They all say that we are under attack. They say that we have seen more attacks than ever across the board. Whether in the cloud, on premises on endpoints or on servers, we are seeing more incidents, more attacks, and even more sophisticated attacks.
On the other hand, security budgets are still underfunded, executives don't have a clear picture of the real state of the organization's security, and the security teams don't get the chance to really convey the true lack of preparedness to the powers that be.
After having read many of these reports for enough years now, I feel like I know myself that I should take out the umbrella; I don't need someone to tell me it is raining.
I guess my issue is, what can we do to change the forecast? Is it just more of the same? I would like to see something that says on the horizon are these changes, new ideas, new methods which promise to change the equation. We have mastered the security breach data report. What do we do for our next act?
That next act is how do we take that information and fundamentally "change the weather forecast." What lessons learned can we apply to avoid a security Groundhog Day in next year's report?
I don't know what the answer to that is. If I did, I would tell you. But until we do, more of the same grim statistics on breaches and security metrics are falling on deaf ears.