Highlights From Verizon Data Breach Report 2015

Tuesday, May 19, 2015

Anton Chuvakin

Ebb72d4bfba370aecb29bc7519c9dac2

With RSA 2015 and some writing deadlines (while analysts generally enjoy stress-free living, we do have deadlines too!), I almost forgot to study the Verizon’s jam-packed-with-juicy-awesomeness DBIR 2015.

Here are my traditional highlights and favorites from Verizon 2015 Data Breach Investigations Report [PDF].

  • Reported insider abuse features in 20.6% [see Fig 24] of all reported security incidents and 10.6% [see Fig 25] of confirmed data breach insiders (so not surprising: insider threat still doesn’t matter much to most – and based on this data, it really should not [of course, there are situations where it matters A LOT. Hi Snowden!])
  • RAM scrapping has grown a lot [hi PCI DSS!] “RAM scraping has grown up in a big way. This type of malware was present in some of the most high-profile retail data breaches of the year” [in plan English: encrypt all traffic including on the LAN? Encrypt all stored card data? Well, duh, you are still screwed! :-(]
  • “Even worse, the two lines [time to compromise and time to discover the compromise] are diverging over the last decade, indicating a growing “detection deficit” between attackers and defenders. We think it highlights one of the primary challenges to the security industry.” <- self-explanatory reminder of the 1980s security mantra “prevention / detection / response”
  • Fun threat intel (TI) fact: many threat intel feeds do and do not overlap (!). Huh? Research by Niddel [now included in DBIR – hi Alex!] revealed that so-called inbound TI feeds (scanning, spam, etc) overlap a lot, while outbound feeds (exfil, malware C&C) do not (see page 8 for details). Thus “if threat intelligence indicators were really able to help an enterprise defense strategy, one would need to have access to all of the [TI] feeds from all of the providers to be able to get the “best” possible coverage.” (so, get a TIP?)
  • I liked their new data-driven pre/post-breach coverage, new this year. For example, this data-driven tip on patching: “We found that 99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published” and “Figure 13 demonstrates the need for all those stinking patches on all your stinking systems.”
  • My SHOCK OF THE YEAR: “Consistent with some other recent vendor reports, we found that 70 to 90% (depending on the source and organization) of malware samples are unique to a single organization.” <- I knew custom / unique malware is not uncommon, but I didn’t know that the numbers are that high [bye AV!]
  • Another fun bit: a stolen record costs roughly …. not $188, not $201, but $0.58, if averaged over all breaches, including hyper-mega-breaches! Well, a better model (see the report for details) seem to peg the cost in $52-$87 range per record, depending of course on breach size due to fixed cost not associated with the record count.
  • Mobile malware really doesn’t matter: “An average of 0.03% of smartphones per week—out of tens of millions of mobile devices on the Verizon network— were infected with “higher-grade” malicious code.” [again, as with insiders, there are cases where it matters A LOT – hi Inception!]
  • Credential abuse still reign supreme [hi 1980s!]: “Pulling back from a single industry view, we find that most of the attacks make use of stolen credentials, which is a story we’ve been telling since 1 A.D.48 Over 95% of these incidents involve harvesting creds from customer devices, then logging into web applications with them.”

In any case, go read the report!

This was cross-posted from the Gartner blog.

10218
General
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.